nanog mailing list archives
Re: DNS - connection limit (without any extra hardware)
From: Douglas Otis <dotis () mail-abuse org>
Date: Fri, 8 Dec 2006 15:57:24 -0800
On Dec 8, 2006, at 6:40 AM, Luke wrote:
Hi,as a consequence of a virus diffused in my customer-base, I often receive big bursts of traffic on my DNS servers. Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I have a distributed tentative of denial of service. I can't blacklist them on my DNSs, because the infected clients are too much.For this reason, I would like that a DNS could response maximum to 10 queries per second given by every single Ip address. Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND tuning, without using any hardware traffic shaper?
One effective strategy is to make 0wning your customer's system less profitable. Here is a good article by Suresh Ramasubramanian:
http://www.circleid.com/posts/ port_25_blocking_or_fix_smtp_and_leave_port_25_alone_for_the_sake_of_spa m/
Some have been successful with notification tools such as those offered by:
http://www.perftech.com/Customers are directed to a free scrub that does not depend upon OS validation status, such as Housecall.
-Doug
Current thread:
- Re: DNS - connection limit (without any extra hardware), (continued)
- Re: DNS - connection limit (without any extra hardware) Jo Rhett (Dec 27)
- Re: DNS - connection limit (without any extra hardware) Simon Waters (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Luke C (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Luke C (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Simon Waters (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Mark Andrews (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Jo Rhett (Dec 27)
- Re: DNS - connection limit (without any extra hardware) Randy Bush (Dec 27)
- Network security practices survey Sean Donelan (Dec 09)