North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: DNS - connection limit (without any extra hardware)

  • From: Geo.
  • Date: Fri Dec 08 10:52:11 2006

I know this is kind of a crazy idea but how about making cleaning up all these infected machines the priority as a solution instead of defending your dns from your infected clients. They not only affect you, they affect the rest of us so why should we give you a solution to your problem when you don't appear to care about causing problems for the rest of us?
George Roettger
-----Original Message-----
From: [email protected] [mailto:[email protected]]On Behalf Of Luke
Sent: Friday, December 08, 2006 9:41 AM
To: [email protected]
Subject: DNS - connection limit (without any extra hardware)

as a comsequence of a virus diffused in my customer-base, I often receive big bursts of traffic on my DNS servers.
Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I have a distributed tentative of denial of service.
I can't blacklist them on my DNSs, because the infected clients are too much.

For this reason, I would like that a DNS could response maximum to 10 queries per second given by every single Ip address.
Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND tuning, without using any hardware traffic shaper?

Best Regards