/var partition overflow (due to spyware?) in FreeBSD default
install
Brett Glass
brett at lariat.org
Thu Oct 23 15:48:47 PDT 2003
All:
I'm posting this to FreeBSD-security (rather than FreeBSD-net) because
the problems I'm seeing appear to have been caused by spyware, and
because they constitute a possible avenue for denial of service on
FreeBSD machines with default installs of the operating system.
Several of the FreeBSD machines on our network began to act strangely
during the past week. Some have started to refuse mail; in other cases,
important daemons have died without warning. All of the machines are
running 4.x releases of FreeBSD with all recent patches installed, and
all are running the version of BIND supplied with FreeBSD. The "top"
command, when run on these machines, showed that BIND is consuming very
large amounts of CPU time, but this by itself couldn't explain all of the
symptoms we were seeing.
This afternoon, I examined the machines and discovered the problem: full
/var partitions caused by huge /var/log/messages files.
Inspection of the files reveals hundreds of thousands of messages of the form:
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns0.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns1.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns3.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns4.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns6.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns7.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns8.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns11.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns10.opennic.glue)
Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS
(ns11.opennic.glue)
The references to OpenNIC have caused me to suspect (though I have not
verified it yet) that the problem is due to the New.Net spyware, which
causes Windows machines to query OpenNIC's name servers. From what I've
read so far, it appears that New.Net is "foistware" -- that is, it can be
installed on innocent users' Windows machines without their consent via
holes in Internet Explorer. But if New.Net is not what's responsible,
SOMETHING certainly seems to be generating bogus DNS queries, which in
turn are causing these messages.
FreeBSD currently comes configured, in the default install, to check
/var/messages only once a day, and to rotate the log file if it's above a
certain size. Unfortunately, these messages accumulate so rapidly that
this is not sufficient; the /var partition in the default install can
easily be overflowed long before the log is rotated, causing
malfunctions. I've temporarily changed /etc/crontab so that newsyslog is
run every 5 minutes instead of once a day (which may be a good idea to
prevent other denials of service via this sort of overflow as well). But
it also makes sense to patch the system so that it does not fill so many
verbose messages -- and/or to ignore the bogus queries generated by the
spyware. It may also pay to patch BIND to limit the overhead that is
incurred when such queries occur. Ideas?
--Brett Glass
More information about the freebsd-security
mailing list