/var partition overflow (due to spyware?) in FreeBSD default
install
Ian Smith
smithi at nimnet.asn.au
Fri Oct 24 06:27:39 PDT 2003
On Thu, 23 Oct 2003, Brett Glass wrote:
> At 08:46 PM 10/23/2003, David G. Andersen wrote:
>
> >the problem is very obviously an excess of messages from bind.
> >This bug report should go to the ISC folks.
>
> Indeed. Or perhaps we can integrate a patch into FreeBSD and
> then forward it up to ISC.
Perhaps bind is sending an excess of error messages because there are an
excess of errors? Surely it's easier to fix the problem by disabling or
disallowing whatever or whoever is hitting bind with invalid requests?
> >No daemon should
> >be spewing out log messages at the _incredible_ rate that
> >bind does when it decides it doesn't like what it's getting
> >in this context. The same bug can be triggered by using a
> >forwarding nameserver that bind doesn't like.
>
> Interesting. What does BIND "not like" about certain forwarders?
Why not just enable debug logging and find the heck out? Still using
bind 4 here :) but I'm sure that two, three at most, of
# kill -USR1 `cat /var/run/named.pid`
(ono) will provide copious blow by blow request/response logging.
These get big even faster, but you only need enough for analysis of who
or what's generating this unexpected traffic. ipfw deny works a treat.
> >The immediate question to ask is, "is this fixed in bind9?"
Is it bind that's broken for saying too much, or something actually
generating those requests and thus error responses, needing fixing?
Cheers, Ian
More information about the freebsd-security
mailing list