named tcp dos?
Daniel Stirnimann
daniel.stirnimann at switch.ch
Thu Aug 2 06:28:49 UTC 2018
Hello Randy,
> so, i guess there is a named tcp dos going around. using bind9, is
> there an amelioration? or am i misconfigured in some way?
It looks to me that this is a side effect of a very permissive RRL
configuration. My tests with the following command indicate that you
have set responses-per-second to 5.
mdig @147.28.0.39 -f queries.txt
queries.txt contains 40x
switch.ch A
I would suggest something like this:
rate-limit {
// start rate-limiting if more then X identical
// responses per second, default 0 i.e. unlimited
responses-per-second 25;
nxdomains-per-second 25;
errors-per-second 25;
// credit/penalty WINDOW, default 15
window 10;
// send TC for every X-th rate-limited response, default 2
slip 1;
};
Depending on your "max-udp-size" value (default 4096) you may also want
to increase "tcp-clients" setting (default 150).
Daniel
More information about the bind-users
mailing list