Mon Sep 2 15:13:17 UTC 2002
> What countermeasures are appropriate? on the F and C root name servers, we use freebsd "ipfw" to limit each ingress flow to 100Kbits/sec. this seems to cause bad actors to slow down, since they are in lockstep to our replies. # limit inbound dns to 10Kbit/s UDP, 100Kbit/s TCP per source address (flow) add pipe 1 udp from any to any 53 in pipe 1 config mask src-ip 0xffffffff buckets 1024 bw 10Kbit/s queue 3 add pipe 2 tcp from any to any 53 in pipe 2 config mask src-ip 0xffffffff buckets 1024 bw 100Kbit/s queue 3 # protect the host (normal firewall stuff) you might consider something very similar in the dcc server code, since not every dcc server will be running on freebsd or otherwise have this kind of rate limiting built into its kernel.
More information about the DCC