[Pdns-users] [Pdns-announce] Related to recent DoS attacks: Recursor configuration file guidance

Rygl Aleš ales at rygl.net
Fri Feb 7 06:23:19 UTC 2014


Hi again.

Having about 3.000 q/s on this server I have reached 16384 open files... I 
have increased limit for open files to 32768. I guess that we can hardly have 
more configured as we are getting close to the number of open ports. Is there 
another way how to face this attack? Some kind of throttling? Of course we can 
balance queries across more machines, reduce network-timeout and of course 
fix/deny broken clients.

Regards
Ales




On Friday 07 of February 2014 06:14:08 Rygl Aleš wrote:
> Hi everybody.
> 
> I have just verified that increasing filedescriptors works. The recommended 
> value of 4096 may not be enough when you are ISP. I have 16384 now and using 
> lsof to count open files shows nearly 10.000 open files. The amount of 
> requests is not high about 2.000 q/sec.
> 
> Should I increase also the number of max-mthreads under these conditions 
(4096 
> now) ?
> 
> Regards
> Ales
> 
> 
> 
> 
> On Thursday 06 of February 2014 20:23:53 Peter van Dijk wrote:
> > Hello Asif,
> > 
> > to my knowledge, there is no updated RPM. In your case, please look at 
> options 1, 2 and 3 in the blog post at 
> http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recursor-
> configuration-file-guidance/
> > 
> > If you do those things, you do not need a patched package.
> > 
> > Kind regards,
> > -- 
> > Peter van Dijk
> > Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
> > 
> > On 06 Feb 2014, at 16:51 , Asif Murad Khan <asifmuradkhan at gmail.com> 
wrote:
> > 
> > > Hi Bert,
> > > 
> > > We have use CentOS 6.4 64-bit and install pdns-recursor 3.5.3-1 from 
> monshouwer repository. now we have not face any ddos attack problem. but we 
> want to update it. have we get any update via repo.
> > > 
> > > regards,
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140207/e8cae72e/attachment-0001.html>


More information about the Pdns-users mailing list