[CentOS] bind (named) compromised?

Sun Feb 9 20:55:04 UTC 2014
Peter Eckel <lists at eckel-edv.de>

Hi James, 

you seem to be running an open DNS resolver, is that correct? And if so, do you do it intentionally?

I just received an US-CERT alert today that warns about ongoing amplification attacks, among others against DNS, but also against some other UDP based services.

<https://www.us-cert.gov/ncas/alerts/TA14-017A>

From the symptoms you describe I'd say that your DNS server is being used in such an attack. 

> I also see a chroot directory, but if I grep for named it doesn't appear 
> to be using the chroot(?):
> # ps aux | grep named
> named     3497  0.4  0.7 170088 15836 ?        Ssl  23:02   0:02 
> /usr/sbin/named -u named
> root      3763  0.0  0.0  61192   764 pts/1    S+   23:13   0:00 grep named

Do you have the bind-chroot package installed?

Best regards, 

  Peter.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.centos.org/pipermail/centos/attachments/20140209/d30437e4/attachment-0005.sig>