[93633] in North American Network Operators' Group
Re: DNS - connection limit (without any extra hardware)
daemon@ATHENA.MIT.EDU (Douglas Otis)
Fri Dec 8 19:12:29 2006
In-Reply-To: <33f728c0612080640l27abf702r3df634d5223b9e0f@mail.gmail.com>
Cc: nanog@nanog.org
From: Douglas Otis <dotis@mail-abuse.org>
Date: Fri, 8 Dec 2006 15:57:24 -0800
To: Luke <very.luke@gmail.com>
Errors-To: owner-nanog@merit.edu
On Dec 8, 2006, at 6:40 AM, Luke wrote:
> Hi,
> as a consequence of a virus diffused in my customer-base, I often
> receive big bursts of traffic on my DNS servers. Unluckly, a lot of
> clients start to bomb my DNSs at a certain hour, so I have a
> distributed tentative of denial of service. I can't blacklist them
> on my DNSs, because the infected clients are too much.
>
> For this reason, I would like that a DNS could response maximum to
> 10 queries per second given by every single Ip address. Anybody
> knows a solution, just using iptables/netfilter/kernel tuning/BIND
> tuning, without using any hardware traffic shaper?
One effective strategy is to make 0wning your customer's system less
profitable. Here is a good article by Suresh Ramasubramanian:
http://www.circleid.com/posts/
port_25_blocking_or_fix_smtp_and_leave_port_25_alone_for_the_sake_of_spa
m/
Some have been successful with notification tools such as those
offered by:
http://www.perftech.com/
Customers are directed to a free scrub that does not depend upon OS
validation status, such as Housecall.
-Doug
