Re: DNS - connection limit (without any extra hardware)

["Fergie" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry for the top-post, but wanted to retain context here.

Also, sorry for the specific product mention, but much of is
mentioned below is something that we are doing with ICSS/BASE:

 http://www.trendmicro.com/en/products/nss/icss/evaluate/overview.htm

$.02,

- - ferg

- -- Joe Abley <jabley () ca afilias info> wrote:

On 8-Dec-2006, at 11:52, Geo. wrote:

> > Actually, reading your reply (which is the same as my own, pretty  
> > much), I
> > figure the guy asked a question and he has a real problem.  
> > Assuming he
> > doesn't want to clean them up is not nice of us.
>
> Infected machines (bots) will cause a lot more than just DNS  
> issues. Issues
> like this have a way of getting worse all by themselves if not  
> addressed.
>
> Anyway, to play nice.. how about using a router to dampen traffic  
> much like
> icmp dampening? Would it be possible to do DNS dampening?

I think the trouble comes when you want to limit the request rate  
*per client source address*, rather than limiting the request rate  
across the board. That implies the retention of state, and since DNS  
transactions are brief (and since the client population is often  
large) that can add up to a lot of state to keep at an aggregation  
point like a router.

There some appliances which are designed to hold large amounts of  
state (e.g. f5's big-ip) but you're talking non-trivial dollars for  
that. Beware enterprise-scale stateful firewall devices which might  
seem like sensible solutions to this problem. They are often not  
suitable for use in front of busy DNS servers (even a few hundred new  
flows per second is a lot for some vendors, despite the apparent  
marketing headroom based on the number of kbps you need to handle).

You may find that you can install ipfw (or similar) rules on your  
nameservers themselves to do this kind of thing. Take careful note of  
what happens when the client population becomes large, though -- the  
garbage collection ought to be smooth and painless, or you'll just  
wind up swapping one worm proliferation failure mode for another.

Host-based per-client rate limits scale better if there are many  
hosts providing service, e.g. behind a load balancer or using  
something like <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>.

As to the wider question, cleaning up the infected hosts is an  
excellent goal, but it'd certainly be nice if your DNS servers  
continued to function while you were doing so. Having every non- 
infected customer phone up screaming at once can be an unwelcome  
distraction when you already have more man hours of work to do per  
day than you have (staff * 24).


Joe

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.1 (Build 1557)

wj8DBQFFebFQq1pz9mNUZTMRAk+xAKCg1dPMivTo6ee5Nj1I4yjVXQzvCQCgnBSI
NV3RnsEijPJcHNawWS4uWog=
=pawb
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/