[93615] in North American Network Operators' Group
Re: DNS - connection limit (without any extra hardware)
daemon@ATHENA.MIT.EDU (Gadi Evron)
Fri Dec 8 11:31:32 2006
Date: Fri, 8 Dec 2006 09:58:04 -0600 (CST)
From: Gadi Evron <ge@linuxbox.org>
To: Luke <very.luke@gmail.com>
Cc: nanog@nanog.org
In-Reply-To: <33f728c0612080640l27abf702r3df634d5223b9e0f@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
On Fri, 8 Dec 2006, Luke wrote:
> Hi,
> as a comsequence of a virus diffused in my customer-base, I often receive
> big bursts of traffic on my DNS servers.
> Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I
> have a distributed tentative of denial of service.
> I can't blacklist them on my DNSs, because the infected clients are too
> much.
>
> For this reason, I would like that a DNS could response maximum to 10
> queries per second given by every single Ip address.
> Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND
> tuning, without using any hardware traffic shaper?
>
"I have a bots infested network, they really task my services! How can I
make my services ignore them so that the clients start calling me and
spending my tech support budget?"
> Thanks
> Best Regards
>
> Luke
>
Gadi.
