Brian Somers <[email protected]> wrote: > Hi folks, Hi Brian! > However, during the attack, we also saw a huge number of TCP > sockets in > TIME_WAIT talking to root servers (probably all root servers). I’m > curious if > > 1.Are root servers doing some sort of tar pitting where they send a TC > and then firewall port 53? This TIME_WAIT problem is a normal consequence of making lots of short- lived TCP connections for which you initiated the close, i.e. a tragic mismatch between what a recursive DNS resolver needs and what TCP provides. The standard TIME_WAIT period is huge compared to typical segment lifetimes. You can reduce it using sysctl on FreeBSD but not Linux. Linux instead has a couple of options to recycle TIME_WAIT sockets, one of which is (IME) ineffective in this kind of situation, and the other is reportedly unsafe. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ - I xn-- zr8h punycode
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
