Blocking DoS on Bind9

Barry Margolin barmar at
Fri Aug 24 02:56:42 UTC 2007

In article <faita3$192k$1 at>,
 Kevin Darcy <kcd at> wrote:

> The Doctor wrote:
> > Just wondering what methods can be use to stop DoS attcks
> > such as half-open connection overload on port 53 using named.conf ?
> >   
> Neither BIND nor any purely user-space app can really prevent "half-open 
> connection overload"s (are you trying to describe SYN flooding?), since 
> they don't even see the incoming connection until and unless it's fully 
> established.

Don't most Unix TCP implementations have SYN-flood protection built into 
them these days.  And I expect most high-end firewalls also do it at the 
border.  So it's not generally something one worries about in the 

The problem that might have to be dealt with in the application is 
fully-open connection overload.  Suppose a botnet opens thousands of TCP 
connections to port 53, this might fill up the TCP stack's connection 

Barry Margolin, barmar at
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list