/var partition overflow (due to spyware?) in FreeBSD default install

G. Panula greg.panula at lexisnexis.com
Tue Oct 28 04:30:01 PST 2003 

Brett Glass wrote:
> All:
> 
> I'm posting this to FreeBSD-security (rather than FreeBSD-net) because 
> the problems I'm seeing appear to have been caused by spyware, and 
> because they constitute a possible avenue for denial of service on 
> FreeBSD machines with default installs of the operating system.
> 
> Several of the FreeBSD machines on our network began to act strangely 
> during the past week. Some have started to refuse mail; in other cases, 
> important daemons have died without warning. All of the machines are 
> running 4.x releases of FreeBSD with all recent patches installed, and 
> all are running the version of BIND supplied with FreeBSD. The "top" 
> command, when run on these machines, showed that BIND is consuming very 
> large amounts of CPU time, but this by itself couldn't explain all of 
> the symptoms we were seeing.
> 
> This afternoon, I examined the machines and discovered the problem: full 
> /var partitions caused by huge /var/log/messages files.
> 
> Inspection of the files reveals hundreds of thousands of messages of the 
> form:
> 
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns0.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns1.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns3.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns4.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns6.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns7.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns8.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns11.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns10.opennic.glue)
> Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS 
> (ns11.opennic.glue)
> 
> The references to OpenNIC have caused me to suspect (though I have not 
> verified it yet) that the problem is due to the New.Net spyware, which 
> causes Windows machines to query OpenNIC's name servers. From what I've 
> read so far, it appears that New.Net is "foistware" -- that is, it can 
> be installed on innocent users' Windows machines without their consent 
> via holes in Internet Explorer. But if New.Net is not what's 
> responsible, SOMETHING certainly seems to be generating bogus DNS 
> queries, which in turn are causing these messages.
> 
> FreeBSD currently comes configured, in the default install, to check 
> /var/messages only once a day, and to rotate the log file if it's above 
> a certain size. Unfortunately, these messages accumulate so rapidly that 
> this is not sufficient; the /var partition in the default install can 
> easily be overflowed long before the log is rotated, causing 
> malfunctions. I've temporarily changed /etc/crontab so that newsyslog is 
> run every 5 minutes instead of once a day (which may be a good idea to 
> prevent other denials of service via this sort of overflow as well). But 
> it also makes sense to patch the system so that it does not fill so many 
> verbose messages -- and/or to ignore the bogus queries generated by the 
> spyware. It may also pay to patch BIND to limit the overhead that is 
> incurred when such queries occur. Ideas?
> 

Wouldn't a better work-around be either add ns*.opennic.glue addresses 
to named.root or setup a dummy zone for .glue that just returns a 
localhost address to the client?

Or a possible solution would be to setup bind to log directly to its own 
log files and rotate them when needed and turn off logging to syslog.

Bind8&9 allow for logging of various messages to different files and 
letting bind rotate them when needed.  Check out the Bind documention. 
There is a helpful example available at: 
http://logreport.org/doc/gen/dns/bind8.php

Here's a quick example from bind9:
# This setups logging options
# general info is logged to both syslog and a local file
# info about lame-servers is sent to /dev/null
logging {
         channel named_log {
         file "/var/named/named.log" versions 5 size 1m;
         severity info;
         print-time yes;
         };

         channel null {
         null;
         };

category "default" { "named_log"; default_syslog; };
category "lame-servers" { "null"; };
};

I guess as an improvement on the default named.conf, it could include an 
example section on logging options.

greg

More information about the freebsd-security mailing list