<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1578" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face="Courier New" color=#0000ff size=2><SPAN
class=000111915-08122006>I know this is kind of a crazy idea but how about
making cleaning up all these infected machines the priority as a
solution instead of defending your dns from your infected clients. They not only
affect you, they affect the rest of us so why should we give you a solution to
your problem when you don't appear to care about causing problems for the rest
of us?</SPAN></FONT></DIV>
<DIV><FONT face="Courier New" color=#0000ff size=2><SPAN
class=000111915-08122006></SPAN></FONT> </DIV>
<DIV><FONT face="Courier New" color=#0000ff size=2><SPAN
class=000111915-08122006>George Roettger</SPAN></FONT></DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> owner-nanog@merit.edu
[mailto:owner-nanog@merit.edu]<B>On Behalf Of </B>Luke<BR><B>Sent:</B> Friday,
December 08, 2006 9:41 AM<BR><B>To:</B> nanog@nanog.org<BR><B>Subject:</B> DNS
- connection limit (without any extra hardware)<BR><BR></FONT></DIV>Hi,<BR>as
a comsequence of a virus diffused in my customer-base, I often receive big
bursts of traffic on my DNS servers.<BR>Unluckly, a lot of clients start to
bomb my DNSs at a certain hour, so I have a distributed tentative of denial of
service. <BR>I can't blacklist them on my DNSs, because the infected clients
are too much.<BR><BR>For this reason, I would like that a DNS could response
maximum to 10 queries per second given by every single Ip address.<BR>Anybody
knows a solution, just using iptables/netfilter/kernel tuning/BIND tuning,
without using any hardware traffic shaper? <BR><BR>Thanks<BR>Best
Regards<BR><BR>Luke<BR><BR></BLOCKQUOTE></BODY></HTML>