Hi!
What is your CPU (lscpu) and `knotc status workers`?
How do you install knot (our packages have increased limit on number of open
files)?
Could you please provide us with the full list of terminated remote addresses?
We (Knot projects) have been implementing
some anti-DDoS solutions, so this could help us.
Daniel
On 6/10/24 23:48, Randy Bush wrote:
so, school is out and the children are on the loose
2024-06-10T21:27:24.199750+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 2620:171:c2::49@33322
2024-06-10T21:27:24.200561+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 167.99.160.10@14871
2024-06-10T21:27:24.200642+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 34.223.46.240@53392
2024-06-10T21:27:24.201218+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 167.99.160.10@2011
2024-06-10T21:27:24.201422+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 81.106.125.151@54192
2024-06-10T21:27:24.203263+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 34.223.46.240@53398
2024-06-10T21:27:24.203643+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 139.99.166.37@42942
2024-06-10T21:27:25.199585+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 3.228.173.229@34084
2024-06-10T21:27:25.199678+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 76.93.200.106@10371
2024-06-10T21:27:25.200951+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 2a02:6b8:c04:262:0:433f:1:3@33586
2024-06-10T21:27:25.201029+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 2600:3c09::f03c:93ff:fea9:4de0@54166
2024-06-10T21:27:25.201207+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 118.99.2.29@33170
2024-06-10T21:27:25.201385+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 213.187.92.252@40559
2024-06-10T21:27:26.200340+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 2a02:6b8:c04:262:0:433f:1:3@33594
2024-06-10T21:27:26.200529+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 40.79.144.82@59683
2024-06-10T21:27:26.203837+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 103.85.93.93@60578
2024-06-10T21:27:26.205102+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 13.244.33.51@33812
2024-06-10T21:27:27.208589+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 18.139.204.179@46824
2024-06-10T21:27:27.210062+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 20.125.201.35@63627
2024-06-10T21:27:27.331742+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 172.217.37.144@64719
2024-06-10T21:27:27.332050+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 191.233.201.73@61718
2024-06-10T21:27:27.391797+00:00 rip knotd[1389]: notice: TCP, terminated
inactive client, address 81.106.125.151@50624
like tens of thousands. some children are like that.
so, we take this as an opportunity to learn a bit more about knot tuning
we shortened `tcp-idle-timeout: 2`
we set `tcp-max-clients: 20`
rate limiting seems unlikely to improve things as it is many sources, a
DDos
what else are we missing?
btw, it also whacked knot enough that it failed a resign cycle and we had
to add `unsafe-operation: no-check-keyset` to get back to signing.
clues appreciated. this can't be the only neighborhood with children.
randy
--
--
