[dns-operations] CVE 2015-8000 actively exploited yesterday

Mike Hoskins (michoski) michoski at cisco.com
Thu Dec 17 18:09:40 UTC 2015


On 12/17/15, 12:54 PM, "dns-operations on behalf of Matthew Ghali"
<dns-operations-bounces at dns-oarc.net on behalf of mghali at snark.net> wrote:


>Not quite that easy to solve. In the case of a fatal error or resource
>starvation, that's a good recipe for a DOS against your system as it
>spins in a tight restart loop.
>
>At the minimum you want a limit on restarts, possibly in a given time
>period. More realistically you should also consider some sort of
>increasing (possibly exponential) cool off period between restarts.


Yes.  Bad restart mechanisms are just, well...  bad.  As someone else
pointed out (monit), there are plenty of existing tools to solve this part
of the problem.  Writing your own is likely not wise, unless you run a
single name server in your basement and are your own support team.





More information about the dns-operations mailing list