nanog mailing list archives
Re: DNS - connection limit (without any extra hardware)
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 8 Dec 2006 09:58:04 -0600 (CST)
On Fri, 8 Dec 2006, Luke wrote:
Hi, as a comsequence of a virus diffused in my customer-base, I often receive big bursts of traffic on my DNS servers. Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I have a distributed tentative of denial of service. I can't blacklist them on my DNSs, because the infected clients are too much. For this reason, I would like that a DNS could response maximum to 10 queries per second given by every single Ip address. Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND tuning, without using any hardware traffic shaper?
"I have a bots infested network, they really task my services! How can I make my services ignore them so that the clients start calling me and spending my tech support budget?"
Thanks Best Regards Luke
Gadi.
Current thread:
- Re: DNS - connection limit (without any extra hardware), (continued)
- Re: DNS - connection limit (without any extra hardware) Gadi Evron (Dec 10)
- Re: DNS - connection limit (without any extra hardware) Petri Helenius (Dec 10)
- Re: DNS - connection limit (without any extra hardware) Jo Rhett (Dec 27)
- Re: DNS - connection limit (without any extra hardware) Simon Waters (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Luke C (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Luke C (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Simon Waters (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Mark Andrews (Dec 11)
- Re: DNS - connection limit (without any extra hardware) Matt Ghali (Dec 08)
- Re: DNS - connection limit (without any extra hardware) Jo Rhett (Dec 27)
- Re: DNS - connection limit (without any extra hardware) Randy Bush (Dec 27)
- Network security practices survey Sean Donelan (Dec 09)