<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 11/01/14 12:21, Paul Vixie wrote:<br>
</div>
<blockquote cite="mid:54551690.4000701@redbarn.org" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:20141101154923.GA14152@nic.fr" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="bortzmeyer@nic.fr" photoname="Stephane
Bortzmeyer"
src="cid:part1.04030208.09060401@lcrcomputer.net"
name="compose-unknown-contact.jpg" width="25px"
height="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:bortzmeyer@nic.fr"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Stephane Bortzmeyer</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Saturday,
November 01, 2014 8:49 AM</span></font></div>
</div>
</div>
<div style="color: rgb(136, 136, 136); margin-left: 24px;
margin-right: 24px;" __pbrmquotes="true" class="__pbConvBody">
<pre wrap="">On Sat, Nov 01, 2014 at 10:10:07AM -0500,
Lyle Giese <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:lyle@lcrcomputer.net"><lyle@lcrcomputer.net></a> wrote
a message of 23 lines which said:
</pre>
<blockquote type="cite">
<pre wrap="">Interesting error messages. Someone was running a host name scan
against a domain hosted here and it looks like they were doing it
via Google DNS.
</pre>
</blockquote>
<pre wrap=""><!---->
It seems also that RRL started and sent SLIP answers, leading Google
Public DNS to retry with TCP.</pre>
</div>
</blockquote>
<br>
</blockquote>
Yes, that part is expected behavior. Why someone is doing a host
name scan against one of our authoritative domains is a different
question. Doing it via Google may be a DoS vector they are trying
to exploit or are they really looking for hostnames in a given
domain?(not sure why the later would of any interest).<br>
<br>
<blockquote cite="mid:54551690.4000701@redbarn.org" type="cite">
what we've learned from random-subdomain flood attacks is that the
nxdomain limit (in BIND9 that's nxdomains-per-second) and the slip
ratio both have to be higher than we thought. at the moment i'm
going to say nxdomains-per-second of at least 20, and a slip ratio
of 5.<br>
<blockquote style="border: 0px none;"
cite="mid:20141101154923.GA14152@nic.fr" type="cite">
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Oct 31 04:10:52 linux1 named[2899]: client
2607:f8b0:4001:c07::151#61651: no more TCP clients: quota reached
</pre>
</blockquote>
<pre wrap=""><!---->
If you wish to handle this amount of requests, you can raise
the tcp-clients parameter.
options { tcp-clients 300; };
</pre>
</div>
</blockquote>
<br>
there is no number you can insert here, including the largest
number your OS can support, such as 2^16, which will make your tcp
listener robust in the face of attacks. even if both sides of a
non-attack flow (so, client and server) fully implemented the
recommendations of <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="https://tools.ietf.org/html/draft-dickinson-dnsop-5966-bis-00"><https://tools.ietf.org/html/draft-dickinson-dnsop-5966-bis-00></a>,
intentional tcp state exhaustion will remain a viable attack
vector.<br>
<br>
<div class="moz-signature">-- <br>
Paul Vixie<br>
</div>
</blockquote>
While interesting and I learn from discussions like this, it doesn't
answer my original question. When Named goes into SLIP via UDP
queries, the other party should(and did) retry using TCP. What
happens when we throttle via TCP, like above? Does NAMED just drop
the connection? Or does it send back a meaningful error message or
status of some sort?<br>
<br>
Lyle Giese<br>
LCR Computer Services, Inc.<br>
<br>
</body>
</html>