Server overwhelmed by rejections?
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Jan 20 08:53:10 UTC 2010
On 19.01.10 08:29, Lightner, Jeff wrote:
> Luckily my machines have enough horsepower not to shut down from this
> but I have on occasion seen the CPU load start going up due to it. On
> lowered powered machines this would likely cause what you're seeing.
>
> If you're running a firewall (external device or iptables on Linux) the
> best way to deal with this is to determine the IP or IP range that is
> hammering you and simply blacklist it (drop its packets).
>
> If you're not running a firewall you can blacklist the IPs in
> named.conf.
> In options insert a line like:
> blackhole { blackhats; };
> Then create an acl called blackhats with the IPs or range you want to
> drop:
> acl "blackhats" {
> x.x.x.x; x.x.x/22;
> };
> In the above first x.x.x.x would be a single IP and the x.x.x/22 would
> be an entire 22 CIDR for a given network.
in response to some ddos attacks a year ago when many servers were receiving
queries for ". IN NS" and advice was given - don't blackhole those IP
addresses. At least some of them are real authoritative-only nameservers and
putting them to blackhole would prevent your bind from reaching them.
It's better to firewall off requests from those IP addresses to your port
53. If you have recursive-only nameserver, you can safely disable requests
to it from unauthorized sources and allow only authorized networks.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
More information about the bind-users
mailing list