** VERY WEIRD ATTACK ?? **
Jason L. Schwab
this has happened twice now....
Each time this happens, my box totally freaks out, doesn't lock up
or die per say, but all network connections instantly die. cant even
ping it till about 5-10 mins later and its back again just like normal.
any ideas? Thanks!
(cutted from /var/log/messages via grep)
Feb 2 14:24:28 mercury named[5836]: ns_req:
sendto([203.29.160.4].1477): No buffer space available
Feb 2 17:12:24 mercury named[5836]: ns_req: sendto([24.2.10.67].43089):
No buffer space available
Feb 2 17:12:27 mercury named[5836]: ns_req:
sendto([206.161.83.22].2118): No buffer space available
Feb 2 17:12:44 mercury named[5836]: ns_req:
sendto([205.177.10.10].3234): No buffer space available
Feb 2 17:14:48 mercury named[5836]: ns_req: sendto([216.68.4.10].1028):
No buffer space available
Feb 2 17:14:52 mercury named[5836]: ns_req:
sendto([216.1.251.56].1354): No buffer space available
Feb 2 17:15:21 mercury named[5836]: ns_forw:
sendto([198.17.208.67].53): No buffer space available
Feb 2 17:15:29 mercury named[5836]: ns_req:
sendto([198.17.46.33].2730): No buffer space available
Feb 2 17:15:30 mercury named[5836]: ns_req: sendto([24.25.195.3].53):
No buffer space available
Feb 2 17:16:19 mercury named[5836]: sysquery: sendto([192.33.4.12].53):
No buffer space available
Feb 2 17:17:14 mercury named[5836]: ns_resp:
sendto([209.117.223.51].53): No buffer space available
Feb 2 17:17:47 mercury named[5836]: ns_forw: sendto([206.165.6.10].53):
No buffer space available
Feb 2 17:18:01 mercury named[5836]: sysquery: sendto([198.6.1.181].53):
No buffer space available
Feb 2 17:18:01 mercury named[5836]: ns_resp: sendto([170.140.1.1].53):
No buffer space available
Feb 2 17:18:06 mercury named[5836]: ns_forw: sendto([198.6.1.82].53):
No buffer space available
Feb 2 17:19:37 mercury named[5836]: ns_forw:
sendto([207.155.183.72].53): No buffer space available
Feb 2 17:33:44 mercury named[5836]: ns_req: sendto([204.70.11.50].53):
No buffer space available
Feb 2 17:33:59 mercury named[5836]: ns_req:
sendto([166.62.255.220].38732): No buffer space available
Feb 2 17:34:15 mercury named[5836]: ns_forw:
sendto([207.155.183.73].53): No buffer space available
Feb 2 17:36:06 mercury named[5836]: ns_req:
sendto([199.2.32.11].58291): No buffer space available
Feb 2 17:39:00 mercury named[5836]: ns_forw: sendto([216.95.146.4].53):
No buffer space available
Feb 2 20:03:58 mercury named[4260]: ns_forw:
sendto([198.17.208.67].53): No buffer space available
Feb 2 20:07:10 mercury named[4260]: ns_req:
sendto([207.108.240.1].1029): No buffer space available
Feb 2 20:08:25 mercury named[4260]: ns_req:
sendto([206.161.83.22].4998): No buffer space available
Feb 2 20:08:52 mercury named[4260]: sysquery: sendto([128.63.2.53].53):
No buffer space available
Feb 2 20:09:11 mercury named[4260]: ns_req:
sendto([205.177.10.10].3339): No buffer space available
Feb 2 20:13:13 mercury named[4260]: ns_req: sendto([216.70.64.1].53):
No buffer space available
Feb 2 20:13:18 mercury named[4260]: ns_forw: sendto([216.70.64.2].53):
No buffer space available
Hugh Graham
> My machine is running named 4.9.7 (OpenBSD 2.6 with custom kernel)
>
> this has happened twice now....
>
> Each time this happens, my box totally freaks out, doesn't lock up
> or die per say, but all network connections instantly die. cant even
> ping it till about 5-10 mins later and its back again just like normal.
>
>
> any ideas? Thanks!
>
>
It's only an educated guess, but I'll wager this is not named's
fault. Most likely your machine was under some generic DoS attack
which saturated your link. Named complained because it noticed it
couldn't send to the network as it went about its normal named
business. I'd expect to see other daemons complaining in such a
log though.
Check: ``netstat -ssp ip'' from time to time, and see if it has
gone up in a burp after one of these loss of service episodes.
If you're pretty sure I'm wrong, the obvious check is to kill named
and see if the problem occurs again.
/Hugh