Blocking DoS on Bind9 - BIND mitigating abuseware traffic
Curt Sampson
cjs at cynic.net
Sat Sep 8 02:13:39 UTC 2007
On Fri, 7 Sep 2007, Fr34k wrote:
> What suggestions/options do folks suggest to mitigate such taffic
> before putting such an abusive machine into a walled garden?
Track the traffic from individual hosts and, when the DNS query rate
gets absurd, add a rule to your packet filter to filter out all DNS
traffic from that host. Since a program is doing this, it can also
generate a nagios alert or send an e-mail or whatever to notify someone
about the situation.
This has the pleasant effect of also stopping the rogue host from
sending further spam. Not to mention getting the user to contact you to
see why he can no longer use the Internet, and perhaps providing some
incentive to use personal firewalls, virus protection programs, and
suchlike.
If you wanted to get particularly clever, and you've got good switches,
you could even use SNMP or whatever to shutdown that host's switch port.
That would then ensure that the server sees no load from the rogue
machine.
cjs
--
Curt Sampson <cjs at cynic.net> +81 90 7737 2974
http://www.starling-software.com
The power of accurate observation is commonly called cynicism
by those who have not got it. --George Bernard Shaw
More information about the bind-users
mailing list