[dns-operations] CVE 2015-8000 actively exploited yesterday
Matthew Ghali
mghali at snark.net
Thu Dec 17 17:54:50 UTC 2015
Not quite that easy to solve. In the case of a fatal error or resource starvation, that's a good recipe for a DOS against your system as it spins in a tight restart loop.
At the minimum you want a limit on restarts, possibly in a given time period. More realistically you should also consider some sort of increasing (possibly exponential) cool off period between restarts.
Matt
> On Dec 16, 2015, at 5:49 PM, Robert Edmonds <edmonds at mycre.ws> wrote:
>
> Jared Mauch wrote:
>
>> Either way, diversity creates options and building a solution to restart
>> the daemon is as easy as:
>>
>> #/bin/bash
>> while true; do
>> /usr/sbin/named -f $OTHER_ARGS
>> done
>
> Well, if you go down that route, please make sure there's a ! in the
> shebang :-)
>
> --
> Robert Edmonds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6100 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151217/1071446b/attachment.bin>
More information about the dns-operations
mailing list