DNS - connection limit (without any extra hardware)

Petri Helenius pete at he.iki.fi
Fri Dec 8 17:56:59 UTC 2006

Geo. wrote:
> I know this is kind of a crazy idea but how about making cleaning up 
> all these infected machines the priority as a solution instead of 
> defending your dns from your infected clients. They not only affect 
> you, they affect the rest of us so why should we give you a solution 
> to your problem when you don't appear to care about causing problems 
> for the rest of us?
Has anyone figured out a remote but lawful way to repair zombie machines?


> George Roettger
>     -----Original Message-----
>     *From:* owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]*On
>     Behalf Of *Luke
>     *Sent:* Friday, December 08, 2006 9:41 AM
>     *To:* nanog at nanog.org
>     *Subject:* DNS - connection limit (without any extra hardware)
>     Hi,
>     as a comsequence of a virus diffused in my customer-base, I often
>     receive big bursts of traffic on my DNS servers.
>     Unluckly, a lot of clients start to bomb my DNSs at a certain
>     hour, so I have a distributed tentative of denial of service.
>     I can't blacklist them on my DNSs, because the infected clients
>     are too much.
>     For this reason, I would like that a DNS could response maximum to
>     10 queries per second given by every single Ip address.
>     Anybody knows a solution, just using iptables/netfilter/kernel
>     tuning/BIND tuning, without using any hardware traffic shaper?
>     Thanks
>     Best Regards
>     Luke

More information about the NANOG mailing list