Found this entry in the log this morning. Never have seen such before.......
--------------------- Named Begin ------------------------
**Unmatched Entries** dispatch 0x8ea6e48: shutting down due to TCP receive error: connection reset: 1 Time(s)
---------------------- Named End -------------------------
-- Snowman
On 12/6/05, Sam Drinkard sam@wa4phy.net wrote:
Found this entry in the log this morning. Never have seen such before.......
--------------------- Named Begin ------------------------
**Unmatched Entries** dispatch 0x8ea6e48: shutting down due to TCP receive error: connection reset: 1 Time(s)
---------------------- Named End -------------------------
-- Snowman
As I understand it, this is caused by named being fed bad packets, either by some form of automated attack, or crappy dns server that named queried on its way to find out what you asked it for. Depending on the verbosity of the named logs you keep, you could grep this out, and look at the queries near it to see if there's a particular cause. Or it may not be worth it to you.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
Jim Perrin wrote:
On 12/6/05, Sam Drinkard sam@wa4phy.net wrote:
Found this entry in the log this morning. Never have seen such before.......
--------------------- Named Begin ------------------------
**Unmatched Entries** dispatch 0x8ea6e48: shutting down due to TCP receive error: connection reset: 1 Time(s)
---------------------- Named End -------------------------
-- Snowman
As I understand it, this is caused by named being fed bad packets, either by some form of automated attack, or crappy dns server that named queried on its way to find out what you asked it for. Depending on the verbosity of the named logs you keep, you could grep this out, and look at the queries near it to see if there's a particular cause. Or it may not be worth it to you.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center _______________________________________________
Thanks Jim. I'd never ever seen anything happen to named, on BSD or Linux before. As for logs, what level of logging is "stock" is what I would expect doing a dump. May give that a shot and see what, if anything is in there. Not really been plagued by hackers too much, but I notice I've been probed several days in a row now from something/body in the same /16 ip block. Don't think it's local to the colocation site tho.
Thanks Jim. I'd never ever seen anything happen to named, on BSD or Linux before. As for logs, what level of logging is "stock" is what I would expect doing a dump. May give that a shot and see what, if anything is in there. Not really been plagued by hackers too much, but I notice I've been probed several days in a row now from something/body in the same /16 ip block. Don't think it's local to the colocation site tho.
For what it's worth, I've included my named logging information below. Normally I don't set to debug, but when I need to troubleshoot it helps. I've included that here. Might help you to track things down if you care, or give other people some information for something they haven't asked.
In /etc/syslog.conf #line altered to eliminate named cruft in default logging *.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages
# line added for syslog logging of named local6.* /var/log/named.log
In /etc/named.conf
logging { channel "default_syslog" { syslog local6; severity debug; };
category default { default_syslog; }; category general { default_syslog; }; category config { default_syslog; }; category security { default_syslog; }; category resolver { default_syslog; }; category xfer-in { default_syslog; }; category xfer-out { default_syslog; }; category notify { default_syslog; }; category client { default_syslog; }; category network { default_syslog; }; category update { default_syslog; }; category queries { default_syslog; }; category lame-servers { default_syslog; }; };
In /etc/logrotate.d/named
/var/log/named.log { missingok create 0644 named named postrotate /sbin/service named reload 2> /dev/null > /dev/null || true endscript }
Hope it's marginally useful to someone out there.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
Jim Perrin wrote:
On 12/6/05, Sam Drinkard sam@wa4phy.net wrote:
Found this entry in the log this morning. Never have seen such before.......
--------------------- Named Begin ------------------------
**Unmatched Entries** dispatch 0x8ea6e48: shutting down due to TCP receive error: connection reset: 1 Time(s)
---------------------- Named End -------------------------
As I understand it, this is caused by named being fed bad packets, either by some form of automated attack, or crappy dns server that named queried on its way to find out what you asked it for. Depending on the verbosity of the named logs you keep, you could grep this out, and look at the queries near it to see if there's a particular cause. Or it may not be worth it to you
I've been getting these lately too...on servers in the US/China/Australia. So I suspect it's another idiotic scriptkiddie attack.
Cheers,
-
Chris Mauritz -
Jim Perrin -
Sam Drinkard