[dns-operations] CVE 2015-8000 actively exploited yesterday

Matthew Ghali mghali at snark.net
Thu Dec 17 17:54:50 UTC 2015


Not quite that easy to solve. In the case of a fatal error or resource starvation, that's a good recipe for a DOS against your system as it spins in a tight restart loop.

At the minimum you want a limit on restarts, possibly in a given time period. More realistically you should also consider some sort of increasing (possibly exponential) cool off period between restarts. 

Matt

> On Dec 16, 2015, at 5:49 PM, Robert Edmonds <edmonds at mycre.ws> wrote:
> 
> Jared Mauch wrote:
> 
>> Either way, diversity creates options and building a solution to restart
>> the daemon is as easy as:
>> 
>> #/bin/bash
>> while true; do
>>    /usr/sbin/named -f $OTHER_ARGS
>> done
> 
> Well, if you go down that route, please make sure there's a ! in the
> shebang :-)
> 
> -- 
> Robert Edmonds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6100 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151217/1071446b/attachment.bin>


More information about the dns-operations mailing list