outgoing-traffic

[Abdul Khader]

Ejaz

As per the trace file QPS is around 1,158. Not sure what are the specs 
of your server, but it is very less compared to other ISP's.


You need to rate-limit following IP's to around 20 QPS. All of these 
IP's are sending ANY queries for cpsc.gov. This is an amplification attack.

212.118.122.99/100/101


How you want to apply rate-limit is up to you. You can ask your security 
to do it or you can do it using iptables on the server.

I feel almost all redhat servers will have iptables installed by default.


Regards

Abdul Khader





On 7/27/2016 6:15 PM, Ejaz wrote:
>> Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied.
> Agreed but at least it minimize the problem,  as if request is 50 bytes and then  response also 50 bytes not more than that??
>
>
> Ejaz
>
> -----Original Message-----
> From: S Carr [mailto:sjcarr at gmail.com]
> Sent: Wednesday, July 27, 2016 4:58 PM
> To: Ejaz <mejaz at cyberia.net.sa>
> Cc: bind-users <bind-users at lists.isc.org>
> Subject: Re: outgoing-traffic
>
> On 27 July 2016 at 14:44, Ejaz <mejaz at cyberia.net.sa> wrote:
>> Such  as, if someone is sending  ANY request , by default it should be denied when users requests  for it..
> Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>