[93611] in North American Network Operators' Group
RE: DNS - connection limit (without any extra hardware)
daemon@ATHENA.MIT.EDU (Geo.)
Fri Dec 8 10:40:26 2006
From: "Geo." <geoincidents@nls.net>
To: <nanog@nanog.org>
Date: Fri, 8 Dec 2006 10:25:43 -0500
In-Reply-To: <33f728c0612080640l27abf702r3df634d5223b9e0f@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_004F_01C71AB3.373F4530
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
I know this is kind of a crazy idea but how about making cleaning up all
these infected machines the priority as a solution instead of defending your
dns from your infected clients. They not only affect you, they affect the
rest of us so why should we give you a solution to your problem when you
don't appear to care about causing problems for the rest of us?
George Roettger
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
Luke
Sent: Friday, December 08, 2006 9:41 AM
To: nanog@nanog.org
Subject: DNS - connection limit (without any extra hardware)
Hi,
as a comsequence of a virus diffused in my customer-base, I often receive
big bursts of traffic on my DNS servers.
Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I
have a distributed tentative of denial of service.
I can't blacklist them on my DNSs, because the infected clients are too
much.
For this reason, I would like that a DNS could response maximum to 10
queries per second given by every single Ip address.
Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND
tuning, without using any hardware traffic shaper?
Thanks
Best Regards
Luke
------=_NextPart_000_004F_01C71AB3.373F4530
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1578" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3D"Courier New" color=3D#0000ff size=3D2><SPAN=20
class=3D000111915-08122006>I know this is kind of a crazy idea but how =
about=20
making cleaning up all these infected machines the priority as =
a=20
solution instead of defending your dns from your infected clients. They =
not only=20
affect you, they affect the rest of us so why should we give you a =
solution to=20
your problem when you don't appear to care about causing problems for =
the rest=20
of us?</SPAN></FONT></DIV>
<DIV><FONT face=3D"Courier New" color=3D#0000ff size=3D2><SPAN=20
class=3D000111915-08122006></SPAN></FONT> </DIV>
<DIV><FONT face=3D"Courier New" color=3D#0000ff size=3D2><SPAN=20
class=3D000111915-08122006>George Roettger</SPAN></FONT></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> =
owner-nanog@merit.edu=20
[mailto:owner-nanog@merit.edu]<B>On Behalf Of </B>Luke<BR><B>Sent:</B> =
Friday,=20
December 08, 2006 9:41 AM<BR><B>To:</B> =
nanog@nanog.org<BR><B>Subject:</B> DNS=20
- connection limit (without any extra =
hardware)<BR><BR></FONT></DIV>Hi,<BR>as=20
a comsequence of a virus diffused in my customer-base, I often receive =
big=20
bursts of traffic on my DNS servers.<BR>Unluckly, a lot of clients =
start to=20
bomb my DNSs at a certain hour, so I have a distributed tentative of =
denial of=20
service. <BR>I can't blacklist them on my DNSs, because the infected =
clients=20
are too much.<BR><BR>For this reason, I would like that a DNS could =
response=20
maximum to 10 queries per second given by every single Ip =
address.<BR>Anybody=20
knows a solution, just using iptables/netfilter/kernel tuning/BIND =
tuning,=20
without using any hardware traffic shaper? <BR><BR>Thanks<BR>Best=20
Regards<BR><BR>Luke<BR><BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_004F_01C71AB3.373F4530--