[dns-operations] Interesting messages in our logs

Paul Vixie paul at redbarn.org
Sat Nov 1 17:21:20 UTC 2014

> Stephane Bortzmeyer <mailto:bortzmeyer at nic.fr>
> Saturday, November 01, 2014 8:49 AM
> On Sat, Nov 01, 2014 at 10:10:07AM -0500,
>  Lyle Giese <lyle at lcrcomputer.net> wrote 
>  a message of 23 lines which said:
>> Interesting error messages.  Someone was running a host name scan
>> against a domain hosted here and it looks like they were doing it
>> via Google DNS.
> It seems also that RRL started and sent SLIP answers, leading Google
> Public DNS to retry with TCP.

what we've learned from random-subdomain flood attacks is that the
nxdomain limit (in BIND9 that's nxdomains-per-second) and the slip ratio
both have to be higher than we thought. at the moment i'm going to say
nxdomains-per-second of at least 20, and a slip ratio of 5.
>> Oct 31 04:10:52 linux1 named[2899]: client
>> 2607:f8b0:4001:c07::151#61651: no more TCP clients: quota reached
> If you wish to handle this amount of requests, you can raise
> the tcp-clients parameter.
> options { tcp-clients 300; };

there is no number you can insert here, including the largest number
your OS can support, such as 2^16, which will make your tcp listener
robust in the face of attacks. even if both sides of a non-attack flow
(so, client and server) fully implemented the recommendations of
intentional tcp state exhaustion will remain a viable attack vector.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141101/bbb7a152/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141101/bbb7a152/attachment.jpg>

More information about the dns-operations mailing list