Interoperability with QIP
Steven M. Bellovin
smb at research.att.com
Wed Jan 12 19:07:55 UTC 2000
In message <20000110210744.27821 at plts.org>, Tom Limoncelli writes:
> QIP is a DNS server that has pre-standard support for IXFR (they don't
> claim that it will talk to anything but another QIP servers until the
> standard is final and they update the software).
>
> No problem... BIND users can just disable IXFR for zone transfers to
> QIP servers.
>
> However, when they do that QIP connects, gets rejected, and only
> half-closes the connection. As a result, the BIND server accumulates
> tons of FIN_WAIT_1 connections. Eventually the kernel table will fill
> and the machine will crash.
>
> It looks like a denial of service attack.
>
> I called the QIP folks and they said that the problem doesn't exist in
> BIND 8.1.* but I'm not really interested in downgrading.
FIN_WAIT_1 isn't a stable state -- your side has sent a FIN, and is waiting
for an ACK. If it doesn't get one in some number of minutes, it will tear
down the connection. If your kernel table is filling up, something else is
likely wrong.
Or mabye you meant FIN_WAIT_2, which is stable and can persist for a very long
time.
--Steve Bellovin
More information about the bind-workers
mailing list