DNS - connection limit (without any extra hardware)
Joe Abley
jabley at ca.afilias.info
Fri Dec 8 17:57:06 UTC 2006
On 8-Dec-2006, at 11:52, Geo. wrote:
>
>> Actually, reading your reply (which is the same as my own, pretty
>> much), I
>> figure the guy asked a question and he has a real problem.
>> Assuming he
>> doesn't want to clean them up is not nice of us.
>
> Infected machines (bots) will cause a lot more than just DNS
> issues. Issues
> like this have a way of getting worse all by themselves if not
> addressed.
>
> Anyway, to play nice.. how about using a router to dampen traffic
> much like
> icmp dampening? Would it be possible to do DNS dampening?
I think the trouble comes when you want to limit the request rate
*per client source address*, rather than limiting the request rate
across the board. That implies the retention of state, and since DNS
transactions are brief (and since the client population is often
large) that can add up to a lot of state to keep at an aggregation
point like a router.
There some appliances which are designed to hold large amounts of
state (e.g. f5's big-ip) but you're talking non-trivial dollars for
that. Beware enterprise-scale stateful firewall devices which might
seem like sensible solutions to this problem. They are often not
suitable for use in front of busy DNS servers (even a few hundred new
flows per second is a lot for some vendors, despite the apparent
marketing headroom based on the number of kbps you need to handle).
You may find that you can install ipfw (or similar) rules on your
nameservers themselves to do this kind of thing. Take careful note of
what happens when the client population becomes large, though -- the
garbage collection ought to be smooth and painless, or you'll just
wind up swapping one worm proliferation failure mode for another.
Host-based per-client rate limits scale better if there are many
hosts providing service, e.g. behind a load balancer or using
something like <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>.
As to the wider question, cleaning up the infected hosts is an
excellent goal, but it'd certainly be nice if your DNS servers
continued to function while you were doing so. Having every non-
infected customer phone up screaming at once can be an unwelcome
distraction when you already have more man hours of work to do per
day than you have (staff * 24).
Joe
More information about the NANOG
mailing list