[Pdns-users] Handling packet flood from one client.
Leen Besselink
leen at wirehub.nl
Wed Jan 28 11:58:33 UTC 2009
Ton van Rosmalen wrote:
> Leen Besselink schreef:
>> On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote:
>>
>>> Obviously; but that's being reactive; I was looking for something more
>>> proactive. --Augie
>>>
>>>
>>
>> I've not tested it, but I understand the u32 option is available on Debian/Linux for example:
>>
>> http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
>>
>> That might do what you want.
>>
>>
> How about rate limiting using iptables? You'd have to determine some
> sort general usage rule or manually add ip addresses to he list that's
> limited.
>
I didn't know iptables had an easy way to do this per source-address in
iptables. But I've looked around and possible the recent-iptables-module
would be able to do so:
http://www.debian-administration.org/articles/187
OpenBSD's PF would probably be able to though:
http://www.openbsd.org/faq/pf/filter.html#stateopts
I just had a list of IP-addresses and only return a small packet for the
rest, but I'm definitly still considering changing it, because there are
a few new ones every few days.
Although someone on the NANOG-mailinglist I read sends an update each
time, I most say, that's convenient too. :-)
I don't particularly like rate-limiting something important as DNS for
were I work.
PS You were probably not aware of it but please don't send HTML-only
e-mails to mailinglists some people don't like it. Thunderbird does
supports it I think.
>
> Regards,
>
> Ton
More information about the Pdns-users
mailing list