DNS - connection limit (without any extra hardware)
Gadi Evron
ge at linuxbox.org
Fri Dec 8 16:01:30 UTC 2006
On Fri, 8 Dec 2006, Geo. wrote:
> I know this is kind of a crazy idea but how about making cleaning up all
> these infected machines the priority as a solution instead of defending your
> dns from your infected clients. They not only affect you, they affect the
> rest of us so why should we give you a solution to your problem when you
> don't appear to care about causing problems for the rest of us?
>
> George Roettger
Atually, reading your reply (which is the same as my own, pretty much), I
figure the guy asked a question and he has a real problem. Assuming he
doesn't want to clean them up is not nice of us.
Luke:
It is possible the DNS queries made are for non existent domains, fake
replies, perhaps even making them something in 1918 space, and they MAY
stop being not nice netizens.
Gadi.
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
> Luke
> Sent: Friday, December 08, 2006 9:41 AM
> To: nanog at nanog.org
> Subject: DNS - connection limit (without any extra hardware)
>
>
> Hi,
> as a comsequence of a virus diffused in my customer-base, I often receive
> big bursts of traffic on my DNS servers.
> Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I
> have a distributed tentative of denial of service.
> I can't blacklist them on my DNSs, because the infected clients are too
> much.
>
> For this reason, I would like that a DNS could response maximum to 10
> queries per second given by every single Ip address.
> Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND
> tuning, without using any hardware traffic shaper?
>
> Thanks
> Best Regards
>
> Luke
>
>
More information about the NANOG
mailing list