North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DNS - connection limit (without any extra hardware)

  • From: Luke
  • Date: Fri Dec 08 10:08:53 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=MlLXXH4E2b27gSh5iwePBorgMoFMwVsqnihvDTWDWk3pBhtRMdFh9fn09NsRrNQbnTRBD7rHEiZBo8yCbmbmRM50RM6NGh+HFJ5JZBCVxGR7HKvTgo6AbnTmk8ivZpWRLCKOQ1AJ0NOmt7Jz6wlfLBAyi2FVPp/GpmyEpu9ZQbE=
Hi,
as a comsequence of a virus diffused in my customer-base, I often receive big bursts of traffic on my DNS servers.
Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I have a distributed tentative of denial of service.
I can't blacklist them on my DNSs, because the infected clients are too much.

For this reason, I would like that a DNS could response maximum to 10 queries per second given by every single Ip address.
Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND tuning, without using any hardware traffic shaper?

Thanks
Best Regards

Luke