I think this problem was present before the upgrade, but I recently upgraded from 3.0.4 to 3.0.5.4p9 - no issues with the upgrade that I noticed, no error messages, was able to log into different accounts, all seemed good. Yesterday, I noticed that I could hardly load anything from the web. I have an older dual-T1 connection which gives me a full 3Mb up and down - I was getting 2.4+ down, but was only getting 0.3 up. People could barely get their email clients to check for new mail, and actually downloading it was near impossible (300 email accounts on another non-ISPConfig server). I checked switches and routers, and found that the ISPConfig server was the unit pushing all the traffic - disconnecting that server brought me back to 2.6+ up and down. Using the traffic statistics on the router for that server, I found that there were over 5800 bind/named connections (port 53) to the server. This ISPConfig server is only hosting 4 domains (httpd only) - it has no email accounts on it. Traffic should be minimal. I found the following types of messages repeatedly (1000's) in the messages log, but not sure why they're there (there were 1000's of different domains with this error): Jul 24 00:39:20 dns named[1486]: error (network unreachable) resolving 'a.ns36.de/AAAA/IN': 2a01:130:2000:118:195:34:161:195#53 Jul 24 00:39:20 dns named[1486]: error (network unreachable) resolving 'b.ns36.de/A/IN': 2a01:130:2000:118:195:34:161:195#53 Jul 24 00:39:20 dns named[1486]: error (network unreachable) resolving 'a.ns36.de/A/IN': 2a01:130:2000:118:195:34:161:195#53 Jul 24 00:39:21 dns named[1486]: error (network unreachable) resolving 'b.ns14.net/AAAA/IN': 2a01:130:2000:118:195:34:161:195#53 I was having an issue with this server spewing spam due to some PHP files that were transferred from another hosting company when I took over the hosting of a domain. Those were finally all found and deleted yesterday. I had cleared the postfix queues and actually disabled postfix and courier-imap so that traffic wasn't the cause of the bottleneck. Maybe the bind/named traffic was leftover from that, but I had cleared/disabled email and restarted the system and was still seeing the traffic and connections from bind/named. My thought was maybe there was a known exploit in bind that these spammers were exploiting. For now, I'm just blocking port 53 to this server, and all is happy. It's not a solution though. Any thoughts would be appreciated.
Little inbound traffic volume but high outbound volume sure sounds like DNS amplification. Does your server have an IPv6 addr too? Try capturing some of the traffic (requests and replies) and dig into it with wireshark or a similar tool, and see if you come up with any other clues. Is this server supposed to be a nameserver? If it's only an http server, then blocking dns requests to it is certainly a solution (provided it can still receive replies to dns requests it sends). You should block access to all services you don't explicitly intend to provide. Even go a step further and completely uninstall the software (name server and all other unnecessary services).
Server was intended to be a replacement for existing hosting server, so all usual traffic should be allowed - blocking DNS is not desired. Will look into traffic characteristics, but I'm in the middle of another project, so it might be a bit yet. It's stable at this point, and I have no plans to migrate to it yet. Was more curious if this was a unique case or more common. Thanks.
