DNS - connection limit (without any extra hardware)

Geo. geoincidents at nls.net
Fri Dec 8 15:25:43 UTC 2006

I know this is kind of a crazy idea but how about making cleaning up all
these infected machines the priority as a solution instead of defending your
dns from your infected clients. They not only affect you, they affect the
rest of us so why should we give you a solution to your problem when you
don't appear to care about causing problems for the rest of us?

George Roettger
  -----Original Message-----
  From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
  Sent: Friday, December 08, 2006 9:41 AM
  To: nanog at nanog.org
  Subject: DNS - connection limit (without any extra hardware)

  as a comsequence of a virus diffused in my customer-base, I often receive
big bursts of traffic on my DNS servers.
  Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I
have a distributed tentative of denial of service.
  I can't blacklist them on my DNSs, because the infected clients are too

  For this reason, I would like that a DNS could response maximum to 10
queries per second given by every single Ip address.
  Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND
tuning, without using any hardware traffic shaper?

  Best Regards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20061208/c36d9273/attachment.html>

More information about the NANOG mailing list