Server overwhelmed by rejections?

Lightner, Jeff jlightner at water.com
Tue Jan 19 13:29:53 UTC 2010


Luckily my machines have enough horsepower not to shut down from this
but I have on occasion seen the CPU load start going up due to it.   On
lowered powered machines this would likely cause what you're seeing.

If you're running a firewall (external device or iptables on Linux) the
best way to deal with this is to determine the IP or IP range that is
hammering you and simply blacklist it (drop its packets).  

If you're not running a firewall you can blacklist the IPs in
named.conf.
In options insert a line like:
blackhole { blackhats; };
Then create an acl called blackhats with the IPs or range you want to
drop:
acl "blackhats" {
        x.x.x.x; x.x.x/22;
};
In the above first x.x.x.x would be a single IP and the x.x.x/22 would
be an entire 22 CIDR for a given network.

-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org
[mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf
Of Dylan Martin
Sent: Friday, January 15, 2010 11:41 PM
To: bind-users at lists.isc.org
Subject: Server overwhelmed by rejections?

I recently had an odd occurrence with my DNS servers. I have two
servers that act as caching resolvers for a community college and
authoritative for the college's domain.  A few days ago they both
stopped working  for about 15 minutes.  The only clue I've been able
to find is my logs contain an unusual number of rejected querys right
before the outage.  By unusual, I mean around 300 in 2 seconds when a
busy one-second span might contani 25 entries normally.  These
requests were rejected because they originated from an IP address for
which recursive queries are forbidden.

Has anyone heard of excessive rejections causing an outage?  Is there
anything I can do to prevent this kind of thing from happening again?
I'm pretty sure this was just a fluke, but I worry what would happen
if a disgruntled student wanted to launch a DOS.

Thanks!
-Dylan
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------



More information about the bind-users mailing list