DNS - connection limit (without any extra hardware)
pete at he.iki.fi
Fri Dec 8 17:56:59 UTC 2006
> I know this is kind of a crazy idea but how about making cleaning up
> all these infected machines the priority as a solution instead of
> defending your dns from your infected clients. They not only affect
> you, they affect the rest of us so why should we give you a solution
> to your problem when you don't appear to care about causing problems
> for the rest of us?
Has anyone figured out a remote but lawful way to repair zombie machines?
> George Roettger
> -----Original Message-----
> *From:* owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]*On
> Behalf Of *Luke
> *Sent:* Friday, December 08, 2006 9:41 AM
> *To:* nanog at nanog.org
> *Subject:* DNS - connection limit (without any extra hardware)
> as a comsequence of a virus diffused in my customer-base, I often
> receive big bursts of traffic on my DNS servers.
> Unluckly, a lot of clients start to bomb my DNSs at a certain
> hour, so I have a distributed tentative of denial of service.
> I can't blacklist them on my DNSs, because the infected clients
> are too much.
> For this reason, I would like that a DNS could response maximum to
> 10 queries per second given by every single Ip address.
> Anybody knows a solution, just using iptables/netfilter/kernel
> tuning/BIND tuning, without using any hardware traffic shaper?
> Best Regards
More information about the NANOG