North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: DNS - connection limit (without any extra hardware)
On Fri, 8 Dec 2006, Geo. wrote: > I know this is kind of a crazy idea but how about making cleaning up all > these infected machines the priority as a solution instead of defending your > dns from your infected clients. They not only affect you, they affect the > rest of us so why should we give you a solution to your problem when you > don't appear to care about causing problems for the rest of us? > > George Roettger Atually, reading your reply (which is the same as my own, pretty much), I figure the guy asked a question and he has a real problem. Assuming he doesn't want to clean them up is not nice of us. Luke: It is possible the DNS queries made are for non existent domains, fake replies, perhaps even making them something in 1918 space, and they MAY stop being not nice netizens. Gadi. > From: [email protected] [mailto:[email protected]]On Behalf Of > Luke > Sent: Friday, December 08, 2006 9:41 AM > To: [email protected] > Subject: DNS - connection limit (without any extra hardware) > > > Hi, > as a comsequence of a virus diffused in my customer-base, I often receive > big bursts of traffic on my DNS servers. > Unluckly, a lot of clients start to bomb my DNSs at a certain hour, so I > have a distributed tentative of denial of service. > I can't blacklist them on my DNSs, because the infected clients are too > much. > > For this reason, I would like that a DNS could response maximum to 10 > queries per second given by every single Ip address. > Anybody knows a solution, just using iptables/netfilter/kernel tuning/BIND > tuning, without using any hardware traffic shaper? > > Thanks > Best Regards > > Luke > >
|