Paul Vixie
paul@vix.com
Mon, 02 Sep 2002 15:13:17 +0000
> What countermeasures are appropriate? on the F and C root name servers, we use freebsd "ipfw" to limit each ingress flow to 100Kbits/sec. this seems to cause bad actors to slow down, since they are in lockstep to our replies. # limit inbound dns to 10Kbit/s UDP, 100Kbit/s TCP per source address (flow) add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 # protect the host (normal firewall stuff) you might consider something very similar in the dcc server code, since not every dcc server will be running on freebsd or otherwise have this kind of rate limiting built into its kernel.