DNS - connection limit (without any extra hardware)

On Friday 08 December 2006 14:40, you wrote:
> 
> For this reason, I would like that a DNS could response
maximum to 10
> queries per second given by every single Ip address.

That may trap an email server or two.

Did you consider checking what they are looking up, and
lying to them about 
the TTL/answer "127.0.0.1 for a week" maybe better
than NXDOMAIN.

I use to slave "." which can save time on
recursive DNS servers when they have 
a lot of dross to answer (assuming it is totally random
dross).

I suspect complex rate limiting may be nearly as expensive
as providing DNS 
answers with Bind9.

On Fri, 8 Dec 2006, Geo. wrote:
> I know this is kind of a crazy idea but how about
making cleaning up all
> these infected machines the priority as a solution
instead of defending your
> dns from your infected clients. They not only affect
you, they affect the
> rest of us so why should we give you a solution to your
problem when you
> don't appear to care about causing problems for the
rest of us?
> 
> George Roettger

Atually, reading your reply (which is the same as my own,
pretty much), I
figure the guy asked a question and he has a real problem.
Assuming he
doesn't want to clean them up is not nice of us.

Luke:
It is possible the DNS queries made are for non existent
domains, fake
replies, perhaps even making them something in 1918 space,
and they MAY
stop being not nice netizens.

	Gadi.

>   From: owner-nanogmerit.edu
[mailto:owner-nanogmerit.edu]On Behalf Of
> Luke
>   Sent: Friday, December 08, 2006 9:41 AM
>   To: nanognanog.org
>   Subject: DNS - connection limit (without any extra
hardware)
> 
> 
>   Hi,
>   as a comsequence of a virus diffused in my
customer-base, I often receive
> big bursts of traffic on my DNS servers.
>   Unluckly, a lot of clients start to bomb my DNSs at a
certain hour, so I
> have a distributed tentative of denial of service.
>   I can't blacklist them on my DNSs, because the
infected clients are too
> much.
> 
>   For this reason, I would like that a DNS could
response maximum to 10
> queries per second given by every single Ip address.
>   Anybody knows a solution, just using
iptables/netfilter/kernel tuning/BIND
> tuning, without using any hardware traffic shaper?
> 
>   Thanks
>   Best Regards
> 
>   Luke
> 
> 

On Fri, 8 Dec 2006, Luke wrote:
> Hi,
> as a comsequence of a virus diffused in my
customer-base, I often receive
> big bursts of traffic on my DNS servers.
> Unluckly, a lot of clients start to bomb my DNSs at a
certain hour, so I
> have a distributed tentative of denial of service.
> I can't blacklist them on my DNSs, because the infected
clients are too
> much.
> 
> For this reason, I would like that a DNS could response
maximum to 10
> queries per second given by every single Ip address.
> Anybody knows a solution, just using
iptables/netfilter/kernel tuning/BIND
> tuning, without using any hardware traffic shaper?
> 

"I have a bots infested network, they really task my
services! How can I
make my services ignore them so that the clients start
calling me and
spending my tech support budget?"

> Thanks
> Best Regards
> 
> Luke
> 

	Gadi.

> Actually, reading your reply (which is the same as my
own, pretty much), I
> figure the guy asked a question and he has a real
problem. Assuming he
> doesn't want to clean them up is not nice of us.

Infected machines (bots) will cause a lot more than just DNS
issues. Issues
like this have a way of getting worse all by themselves if
not addressed.

Anyway, to play nice.. how about using a router to dampen
traffic much like
icmp dampening? Would it be possible to do DNS dampening?

Geo.

Geo. wrote:
> I know this is kind of a crazy idea but how about
making cleaning up 
> all these infected machines the priority as a solution
instead of 
> defending your dns from your infected clients. They not
only affect 
> you, they affect the rest of us so why should we give
you a solution 
> to your problem when you don't appear to care about
causing problems 
> for the rest of us?
>
Has anyone figured out a remote but lawful way to repair
zombie machines?

Pete

> George Roettger
>
>     -----Original Message-----
>     *From
owner-nanogmerit.edu [mailto:owner-nanogmerit.edu]*On
>     Behalf Of *Luke
>     *Sent Friday,
December 08, 2006 9:41 AM
>     *To nanognanog.org
>     *Subject DNS -
connection limit (without any extra hardware)
>
>     Hi,
>     as a comsequence of a virus diffused in my
customer-base, I often
>     receive big bursts of traffic on my DNS servers.
>     Unluckly, a lot of clients start to bomb my DNSs at
a certain
>     hour, so I have a distributed tentative of denial
of service.
>     I can't blacklist them on my DNSs, because the
infected clients
>     are too much.
>
>     For this reason, I would like that a DNS could
response maximum to
>     10 queries per second given by every single Ip
address.
>     Anybody knows a solution, just using
iptables/netfilter/kernel
>     tuning/BIND tuning, without using any hardware
traffic shaper?
>
>     Thanks
>     Best Regards
>
>     Luke
>

On 8-Dec-2006, at 11:52, Geo. wrote:

>
>> Actually, reading your reply (which is the same as
my own, pretty  
>> much), I
>> figure the guy asked a question and he has a real
problem.  
>> Assuming he
>> doesn't want to clean them up is not nice of us.
>
> Infected machines (bots) will cause a lot more than
just DNS  
> issues. Issues
> like this have a way of getting worse all by themselves
if not  
> addressed.
>
> Anyway, to play nice.. how about using a router to
dampen traffic  
> much like
> icmp dampening? Would it be possible to do DNS
dampening?

I think the trouble comes when you want to limit the request
rate  
*per client source address*, rather than limiting the
request rate  
across the board. That implies the retention of state, and
since DNS  
transactions are brief (and since the client population is
often  
large) that can add up to a lot of state to keep at an
aggregation  
point like a router.

There some appliances which are designed to hold large
amounts of  
state (e.g. f5's big-ip) but you're talking non-trivial
dollars for  
that. Beware enterprise-scale stateful firewall devices
which might  
seem like sensible solutions to this problem. They are often
not  
suitable for use in front of busy DNS servers (even a few
hundred new  
flows per second is a lot for some vendors, despite the
apparent  
marketing headroom based on the number of kbps you need to
handle).

You may find that you can install ipfw (or similar) rules on
your  
nameservers themselves to do this kind of thing. Take
careful note of  
what happens when the client population becomes large,
though -- the  
garbage collection ought to be smooth and painless, or
you'll just  
wind up swapping one worm proliferation failure mode for
another.

Host-based per-client rate limits scale better if there are
many  
hosts providing service, e.g. behind a load balancer or
using  
something like <ht
tp://www.isc.org/pubs/tn/isc-tn-2004-1.html>.

As to the wider question, cleaning up the infected hosts is
an  
excellent goal, but it'd certainly be nice if your DNS
servers  
continued to function while you were doing so. Having every
non- 
infected customer phone up screaming at once can be an
unwelcome  
distraction when you already have more man hours of work to
do per  
day than you have (staff * 24).


Joe

>
> "I have a bots infested network, they really task
my services! How can I
> make my services ignore them so that the clients start
calling me and
> spending my tech support budget?"
>

Or:

"I have bots on my network and as part of a
multi-pronged approach to
cleaning my network while keeping the services available to
those who
aren't infected, I'd like to research ways that I can
minimize the
effect these bots have on the rest of my customers"

Cheers,
.pm

On Fri, 8 Dec 2006, Petri Helenius wrote:
> 
> Geo. wrote:
> > I know this is kind of a crazy idea but how about
making cleaning up 
> > all these infected machines the priority as a
solution instead of 
> > defending your dns from your infected clients.
They not only affect 
> > you, they affect the rest of us so why should we
give you a solution 
> > to your problem when you don't appear to care
about causing problems 
> > for the rest of us?
> >
> Has anyone figured out a remote but lawful way to
repair zombie machines?

Microsoft auto-update, the telephone line, going to a
different country
with a different set of rules.

	Gadi.