Re: Securing bind..

[Petre Daniel <dani@cyber.ro>]

thankz a lot.
Well the thing is,after i've read that advisory,2 days laterz my network 
was flooded,like the the traffic was very slow and nothing resolved anymore..
I noticed the stranged thing that the main ns/mailserver (bind 9.1)had 
difficulties resolving things around,even internally,so mail was kindof 
blocked..
Thx for links..
its Daniel..


At 06:12 AM 12/30/01 -0800, Alvin Oga wrote:

> hi ya petra
>
> lots of different kind of floods...and DoS attacks...
> what kind of attack are oyu under ???
>         -- what shows up in tcpdump when monitoring all traffic
>         on the wire ???
>
> if you're an "amplifier" .. you have to turn off icmp broadcasts
> at your incoming cisco router/fw
>
> to test if you are a smurf amplifier.. see the links at
>         http://www.Linux-Sec.net/harden/smurf.fix.txt
>
> to test your DNS config....
>         http://www.Linux-Sec.net/Audit/audit_tools.gwif.html#DNS
>
> to harden your dns servers... and spoof protecting etc ..
>         http://www.Linux-Sec.net/Harden/server.gwif.html#DNS
>
> and lot of other stuff to harden too in addition to dns
>         http://www.Linux-Sec.net/Harden/
>
> have fun
> alvin
>
> On Sun, 30 Dec 2001, Petre Daniel wrote:
>
> > Hello Nate,it seems i cant get the link of the advisory.Its about some 
> sort
> > of amplyfing flood,when an ousider makes spoofed queries to the bind 
> daemon
> > and another one ,the victim is flooded along with me the attacked..
> > Thx..

Petre L. Daniel,System Administrator
Canad Systems Pitesti Romania,
http://www.cyber.ro, email:office@cyber.ro
Tel:+4048220044, +4048206200