[Pdns-users] Handling packet flood from one client.
leen at wirehub.nl
Wed Jan 28 11:58:33 UTC 2009
Ton van Rosmalen wrote:
> Leen Besselink schreef:
>> On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote:
>>> Obviously; but that's being reactive; I was looking for something more
>>> proactive. --Augie
>> I've not tested it, but I understand the u32 option is available on Debian/Linux for example:
>> That might do what you want.
> How about rate limiting using iptables? You'd have to determine some
> sort general usage rule or manually add ip addresses to he list that's
I didn't know iptables had an easy way to do this per source-address in
iptables. But I've looked around and possible the recent-iptables-module
would be able to do so:
OpenBSD's PF would probably be able to though:
I just had a list of IP-addresses and only return a small packet for the
rest, but I'm definitly still considering changing it, because there are
a few new ones every few days.
Although someone on the NANOG-mailinglist I read sends an update each
time, I most say, that's convenient too. :-)
I don't particularly like rate-limiting something important as DNS for
were I work.
PS You were probably not aware of it but please don't send HTML-only
e-mails to mailinglists some people don't like it. Thunderbird does
supports it I think.
More information about the Pdns-users