rate-limit and Facebook IP's

Reindl Harald h.reindl at thelounge.net
Tue Jul 1 14:45:50 UTC 2014 

that's really interesting, also on the firewall rate-limiting new
UDP connections to 30 per 2 seconds and client IP also catchs all
day long several facebook IP's on both nameservers

Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65378 PROTO=UDP
SPT=29558 DPT=53 LEN=54
Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65379 PROTO=UDP
SPT=65053 DPT=53 LEN=54
Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65380 PROTO=UDP
SPT=27469 DPT=53 LEN=54
Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65381 PROTO=UDP
SPT=9288 DPT=53 LEN=54
Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65382 PROTO=UDP
SPT=41241 DPT=53 LEN=54
Firewall Rate-Control: SRC=173.252.100.115 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=50076 PROTO=UDP
SPT=44395 DPT=53 LEN=54
Firewall Rate-Control: SRC=173.252.100.115 DST=85.124.176.242 LEN=77 TOS=0x00 PREC=0x00 TTL=80 ID=50077 PROTO=UDP
SPT=49631 DPT=53 LEN=57
Firewall Rate-Control: SRC=173.252.100.113 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=20024 PROTO=UDP
SPT=15272 DPT=53 LEN=54
Firewall Rate-Control: SRC=173.252.100.113 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=20025 PROTO=UDP
SPT=10473 DPT=53 LEN=54
Firewall Rate-Control: SRC=173.252.100.115 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=50078 PROTO=UDP
SPT=47769 DPT=53 LEN=54

Am 30.06.2014 14:22, schrieb Reindl Harald:
> am i the only one facing all day long serveral facebook
> networks hit RRL on both nameservers? for me there are
> only two options to explain that:
> 
> * facebook is too dumb to cache responses (TTL a day)
> * that's part of a well distributed amplification trying
>   not make much noise on the single involved servers
> 
> interesting that this is ongoing for many months
> 
> 30-Jun-2014 13:24:31.717 rate-limit: limit NODATA responses to 69.171.248.0/24 for ns1.thelounge.net IN  (1abd134b)
> 30-Jun-2014 13:25:32.184 rate-limit: stop limiting NODATA responses to 69.171.248.0/24 for ns1.thelounge.net IN
> (1abd134b)
> 30-Jun-2014 13:30:29.153 rate-limit: limit NODATA responses to 173.252.74.0/24 for tethys.thelounge.net IN  (1b619c65)
> 30-Jun-2014 13:31:29.149 rate-limit: stop limiting NODATA responses to 173.252.74.0/24 for tethys.thelounge.net IN
>  (1b619c65)
> 30-Jun-2014 13:37:12.845 rate-limit: limit NODATA responses to 173.252.113.0/24 for ns1.thelounge.net IN  (1abd134b)
> 30-Jun-2014 13:38:12.035 rate-limit: stop limiting NODATA responses to 173.252.113.0/24 for ns1.thelounge.net IN
> (1abd134b)
> 30-Jun-2014 13:39:21.736 rate-limit: limit NODATA responses to 173.252.77.0/24 for ns2.thelounge.net IN  (1abd134c)
> 30-Jun-2014 13:39:21.738 rate-limit: limit NODATA responses to 173.252.77.0/24 for arrakis.thelounge.net IN  (2041b582)
> 30-Jun-2014 13:39:21.873 rate-limit: limit NODATA responses to 173.252.77.0/24 for ns1.thelounge.net IN  (1abd134b)
> 30-Jun-2014 13:40:22.792 rate-limit: stop limiting NODATA responses to 173.252.77.0/24 for arrakis.thelounge.net IN
>  (2041b582)
> 30-Jun-2014 13:40:22.792 rate-limit: stop limiting NODATA responses to 173.252.77.0/24 for ns1.thelounge.net IN
> (1abd134b)
> 30-Jun-2014 13:40:23.131 rate-limit: stop limiting NODATA responses to 173.252.77.0/24 for ns2.thelounge.net IN
> (1abd134c)
> 30-Jun-2014 14:00:35.542 rate-limit: limit NODATA responses to 31.13.99.0/24 for ns1.thelounge.net IN  (1abd134b)
> 30-Jun-2014 14:01:36.564 rate-limit: stop limiting NODATA responses to 31.13.99.0/24 for ns1.thelounge.net IN
> (1abd134b)
> 30-Jun-2014 14:16:55.318 rate-limit: limit NODATA responses to 173.252.102.0/24 for ns1.thelounge.net IN  (1abd134b)
> 30-Jun-2014 14:16:55.328 rate-limit: limit NODATA responses to 173.252.102.0/24 for ns2.thelounge.net IN  (1abd134c)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140701/23856676/attachment.bin>

More information about the bind-users mailing list