Blocking DoS on Bind9 - BIND mitigating abuseware traffic

Curt Sampson cjs at
Sat Sep 8 02:13:39 UTC 2007

On Fri, 7 Sep 2007, Fr34k wrote:

>  What suggestions/options do folks suggest to mitigate such taffic
> before putting such an abusive machine into a walled garden?

Track the traffic from individual hosts and, when the DNS query rate
gets absurd, add a rule to your packet filter to filter out all DNS
traffic from that host. Since a program is doing this, it can also
generate a nagios alert or send an e-mail or whatever to notify someone
about the situation.

This has the pleasant effect of also stopping the rogue host from
sending further spam. Not to mention getting the user to contact you to
see why he can no longer use the Internet, and perhaps providing some
incentive to use personal firewalls, virus protection programs, and

If you wanted to get particularly clever, and you've got good switches,
you could even use SNMP or whatever to shutdown that host's switch port.
That would then ensure that the server sees no load from the rogue

Curt Sampson         <cjs at>         +81 90 7737 2974
The power of accurate observation is commonly called cynicism
by those who have not got it.    --George Bernard Shaw

More information about the bind-users mailing list