Re: [Pdns-users] Handling packet flood from one client.
Leen Besselink schreef: On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote: Obviously; but that's being reactive; I was looking for something more proactive. --Augie I've not tested it, but I understand the u32 option is available on Debian/Linux for example: http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ That might do what you want. How about rate limiting using iptables? You'd have to determine some sort general usage rule or manually add ip addresses to he list that's limited. Regards, Ton ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
Ton van Rosmalen wrote: Leen Besselink schreef: On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote: Obviously; but that's being reactive; I was looking for something more proactive. --Augie I've not tested it, but I understand the u32 option is available on Debian/Linux for example: http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ That might do what you want. How about rate limiting using iptables? You'd have to determine some sort general usage rule or manually add ip addresses to he list that's limited. I didn't know iptables had an easy way to do this per source-address in iptables. But I've looked around and possible the recent-iptables-module would be able to do so: http://www.debian-administration.org/articles/187 OpenBSD's PF would probably be able to though: http://www.openbsd.org/faq/pf/filter.html#stateopts I just had a list of IP-addresses and only return a small packet for the rest, but I'm definitly still considering changing it, because there are a few new ones every few days. Although someone on the NANOG-mailinglist I read sends an update each time, I most say, that's convenient too. :-) I don't particularly like rate-limiting something important as DNS for were I work. PS You were probably not aware of it but please don't send HTML-only e-mails to mailinglists some people don't like it. Thunderbird does supports it I think. Regards, Ton ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
We discussed this on #powerdns a bit as it came up on the dns-operations list; the conclusion was that dropping the request was worse because it opened up spoofing attacks. Thanks for the suggestion though. --Augie On Tue, Jan 27, 2009 at 3:17 PM, Leen Besselink l...@wirehub.nl wrote: On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote: Obviously; but that's being reactive; I was looking for something more proactive. --Augie I've not tested it, but I understand the u32 option is available on Debian/Linux for example: http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ That might do what you want. 2009/1/27 Jeroen Wunnink jer...@easyhosting.nl: Just firewall the IP ? Augie Schwer wrote: Does anyone have other solutions? -- Met vriendelijke groet, Jeroen Wunnink, EasyHosting B.V. Systeembeheerder systeembeh...@easyhosting.nl telefoon:+31 (035) 6285455 Postbus 48 fax: +31 (035) 6838242 3755 ZG Eemnes http://www.easyhosting.nl http://www.easycolocate.nl -- Augie Schwer-au...@schwer.us-http://schwer.us Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Augie Schwer-au...@schwer.us-http://schwer.us Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
On Wed, Jan 28, 2009 at 11:07:53AM -0800, Augie Schwer wrote: We discussed this on #powerdns a bit as it came up on the dns-operations list; the conclusion was that dropping the request was worse because it opened up spoofing attacks. Thanks for the suggestion though. --Augie Yes, that is the other problem. It's also a reason why I only drop queries from those few IP's at work. There is obviously an other problem with that which Paul Vixie already mentioned on the NANOG mailinglist, which is if the targetted IP's are actually resolvers, they wouldn't be able to query our nameservers. Altough it's not really all that bad, first of all, the connection of that IP-address is probably flooded, because of all the answers going to that IP-address. If that didn't happen and it really was a recursor, I think it would be really easy to move the outgoing address to an other IP-address. Because the people running that recursor very well know there are people helping them, by blocking those questions. All in all I think blocking just a few addresses isn't all that bad. Beter is nagging your transit provider about it, because the source network should do proper filtering. That's something I started doing today, because it has been going on for weeks now (it started in december somewhere). Someone should have noticed that traffic leaving some of these networks and fixing it. If not, they should atleast be notified. Well that was my reasoning. :-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
Just firewall the IP ? Augie Schwer wrote: Does anyone have other solutions? -- Met vriendelijke groet, Jeroen Wunnink, EasyHosting B.V. Systeembeheerder systeembeh...@easyhosting.nl telefoon:+31 (035) 6285455 Postbus 48 fax: +31 (035) 6838242 3755 ZG Eemnes http://www.easyhosting.nl http://www.easycolocate.nl ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
Obviously; but that's being reactive; I was looking for something more proactive. --Augie 2009/1/27 Jeroen Wunnink jer...@easyhosting.nl: Just firewall the IP ? Augie Schwer wrote: Does anyone have other solutions? -- Met vriendelijke groet, Jeroen Wunnink, EasyHosting B.V. Systeembeheerder systeembeh...@easyhosting.nl telefoon:+31 (035) 6285455 Postbus 48 fax: +31 (035) 6838242 3755 ZG Eemnes http://www.easyhosting.nl http://www.easycolocate.nl -- Augie Schwer-au...@schwer.us-http://schwer.us Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Handling packet flood from one client.
On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote: Obviously; but that's being reactive; I was looking for something more proactive. --Augie I've not tested it, but I understand the u32 option is available on Debian/Linux for example: http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/ That might do what you want. 2009/1/27 Jeroen Wunnink jer...@easyhosting.nl: Just firewall the IP ? Augie Schwer wrote: Does anyone have other solutions? -- Met vriendelijke groet, Jeroen Wunnink, EasyHosting B.V. Systeembeheerder systeembeh...@easyhosting.nl telefoon:+31 (035) 6285455 Postbus 48 fax: +31 (035) 6838242 3755 ZG Eemnes http://www.easyhosting.nl http://www.easycolocate.nl -- Augie Schwer-au...@schwer.us-http://schwer.us Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Handling packet flood from one client.
Is there a way for the PowerDNS authoritative server to handle a flood of requests from a single client? We were getting 5k qps from a single client and were hitting max-queue-length; does PowerDNS have a way to rate limit in such instances? Does anyone have other solutions? -- Augie Schwer-au...@schwer.us-http://schwer.us Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072 ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users