Re: DNS - connection limit (without any extra hardware)

[Douglas Otis <dotis () mail-abuse org>]

On Dec 8, 2006, at 6:40 AM, Luke wrote:

> Hi,
> as a consequence of a virus diffused in my customer-base, I often  
> receive big bursts of traffic on my DNS servers. Unluckly, a lot of  
> clients start to bomb my DNSs at a certain hour, so I have a  
> distributed tentative of denial of service.  I can't blacklist them  
> on my DNSs, because the infected clients are too much.
>
> For this reason, I would like that a DNS could response maximum to  
> 10 queries per second given by every single Ip address. Anybody  
> knows a solution, just using iptables/netfilter/kernel tuning/BIND  
> tuning, without using any hardware traffic shaper?

One effective strategy is to make 0wning your customer's system less  
profitable.  Here is a good article by Suresh Ramasubramanian:

http://www.circleid.com/posts/ 
port_25_blocking_or_fix_smtp_and_leave_port_25_alone_for_the_sake_of_spa 
m/

Some have been successful with notification tools such as those  
offered by:

http://www.perftech.com/

Customers are directed to a free scrub that does not depend upon OS  
validation status, such as Housecall.

-Doug