[CentOS] bind (named) compromised?

Sun Feb 9 20:55:04 UTC 2014
Peter Eckel <lists at eckel-edv.de>

Hi James, 

you seem to be running an open DNS resolver, is that correct? And if so, do you do it intentionally?

I just received an US-CERT alert today that warns about ongoing amplification attacks, among others against DNS, but also against some other UDP based services.


From the symptoms you describe I'd say that your DNS server is being used in such an attack. 

> I also see a chroot directory, but if I grep for named it doesn't appear 
> to be using the chroot(?):
> # ps aux | grep named
> named     3497  0.4  0.7 170088 15836 ?        Ssl  23:02   0:02 
> /usr/sbin/named -u named
> root      3763  0.0  0.0  61192   764 pts/1    S+   23:13   0:00 grep named

Do you have the bind-chroot package installed?

Best regards, 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.centos.org/pipermail/centos/attachments/20140209/d30437e4/attachment-0005.sig>