[c-nsp] rate limit dns
Gert Doering
gert at greenie.muc.de
Fri Jan 3 07:31:02 EST 2014
Hi,
On Fri, Jan 03, 2014 at 12:23:18PM +0000, Phil Mayers wrote:
> On 03/01/14 12:19, Gert Doering wrote:
>
> >Well, my "real world" numbers on FreeBSD+unbound+pf are: if I enable
> >state tracking in pf, it will about double CPU usage.
>
> Very interesting. This was under "normal" rather than "attack" load, yes?
Correct. Nobody bothered yet to DoS our DNS servers (as opposed to trying
to abuse our auth DNS servers for reflection attacks -> RRL/dampening)
For other purposes, using stateful pf to protect the machine itself
(basically, for everything that is not "an internet facing service", but
stuff like return packets for outgoing sessions) works well, but DNS is
sort of a worst-case scenario, with single-packet "sessions".
> >The system in question did not have much CPU to spare, so this led to
> >DNS queries sometimes being dropped, which resulted in poor user
> >experience.
>
> Ugh. I bet it was delightful to troubleshoot as well...
Yeah. "Our Internet is sometimes slow". That sort of complaints.
(We do "Smokeping/AnotherDNS"-monitor our DNS servers, which did give
an indication that something is not fully right, but it took a bit to
correlate the update with the complaints and find the culprit)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140103/9d9fbf52/attachment.sig>
More information about the cisco-nsp
mailing list