nanog mailing list archives
RE: DNS - connection limit (without any extra hardware)
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 8 Dec 2006 10:01:30 -0600 (CST)
On Fri, 8 Dec 2006, Geo. wrote:
I know this is kind of a crazy idea but how about making cleaning up all these infected machines the priority as a solution instead of defending your dns from your infected clients. They not only affect you, they affect the rest of us so why should we give you a solution to your problem when you don't appear to care about causing problems for the rest of us? George Roettger
Atually, reading your reply (which is the same as my own, pretty much), I figure the guy asked a question and he has a real problem. Assuming he doesn't want to clean them up is not nice of us. Luke: It is possible the DNS queries made are for non existent domains, fake replies, perhaps even making them something in 1918 space, and they MAY stop being not nice netizens. Gadi.
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of Luke Sent: Friday, December 08, 2006 9:41 AM To: nanog () nanog org Subject: DNS - connection limit (without any extra hardware) Hi, as a comsequence of a virus diffused in my customer-base, I often receive big bursts of traffic on my DNS servers. Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I have a distributed tentative of denial of service. I can't blacklist them on my DNSs, because the infected clients are too much. For this reason, I would like that a DNS could response maximum to 10 queries per second given by every single Ip address. Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND tuning, without using any hardware traffic shaper? Thanks Best Regards Luke
Current thread:
- DNS - connection limit (without any extra hardware) Luke (Dec 08)
- RE: DNS - connection limit (without any extra hardware) Geo. (Dec 08)
- RE: DNS - connection limit (without any extra hardware) Gadi Evron (Dec 08)
- RE: DNS - connection limit (without any extra hardware) Geo. (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Joe Abley (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Daniel Golding (Dec 10)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 10)
- RE: DNS - connection limit (without any extra hardware) Gadi Evron (Dec 08)
- RE: DNS - connection limit (without any extra hardware) Geo. (Dec 08)
- RE: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Gadi Evron (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Aaron Glenn (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Petri Helenius (Dec 08)