[Pdns-users] Related to recent DoS attacks: Recursor configuration file guidance
bert hubert
bert.hubert at netherlabs.nl
Thu Feb 6 14:53:24 UTC 2014
Hi Winfried,
The updated patch for 3.5.3 can be found on
https://github.com/Habbie/pdns/commit/e24b124a4c7b49f38ff8bcf6926cd69077d16ad8
I'll update the blog too.
Bert
On Thu, Feb 06, 2014 at 02:03:49PM +0100, abang wrote:
> Hello Bert,
>
> Would you also provide the patch for the current version 3.5.3?
>
> Winfried
>
> Am 06.02.2014 13:10, schrieb bert hubert:
> >Hi everybody,
> >
> >Over the past week we've been contacted by a few users reporting their
> >PowerDNS Recursor became unresponsive under a moderate denial of service
> >attack, one which PowerDNS should be expected to weather without issues.
> >
> >In the course of investigating this issue, we've found that many PowerDNS
> >installations on Linux are configured to consume (far) more filedescriptors
> >than are actually available, waisting resources.
> >
> >To check if this is the case for you, multiply the 'max-mthreads' setting by
> >the 'threads' setting. Default values are 2048 and 2, leading to a
> >theoretical FD consumption of 4096. Many Linux distributions default to
> >1024. So, our defaults exceed the Linux defaults by a large margin!
> >
> >(FreeBSD defaults are far higher, and should not pose an issue).
> >
> >To fix, there are four options:
> >
> >1) Reduce max-mthreads to 512 (or threads to 1)
> >2) Run 'ulimit -n 4096' before starting (perhaps put this in /etc/init.d/ script)
> >3) Investigate defaults in /etc/limits.conf
> >4) Apply the patch in https://github.com/PowerDNS/pdns/commit/3a8a4d68735a0465dff9623c49fb6bf45e0850d8
> >
> >The patch automates 1 and 2, either raising the limit if possible, or
> >reducing max-mthreads until "it fits".
> >
> >Thank you for your attention, and if you have results to report to us on
> >previous or current DoS attacks, please contact me privately!
> >
> > Bert
> >
>
>
More information about the Pdns-users
mailing list