[uanog] DNS flood

Привет кто-то сталкивался в последнее время с большим потоком DNS запросов (40..90req/s), идущих от клиентов, с попытками отрезолвить преимущественно не существующие RR (результат - ServFail) ? похоже на какого-то вируса или трояна ... подобные flood-ы, идущие от десятка клиентов забивают named до 90% CPU, а dnscache достигает лимита обслуживаемых udp-сокетов вот пример: 07:26:47.463988 x.x.x.x.53 > 212.109.32.9.53: 61469+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.472189 x.x.x.x.53 > 212.109.32.9.53: 58321+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.479816 x.x.x.x.53 > 212.109.32.9.53: 35610+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.487805 x.x.x.x.53 > 212.109.32.9.53: 29221+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.495766 x.x.x.x.53 > 212.109.32.9.53: 8759+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.503929 x.x.x.x.53 > 212.109.32.9.53: 50373+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.511752 x.x.x.x.53 > 212.109.32.9.53: 65083+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.519669 x.x.x.x.53 > 212.109.32.9.53: 19788+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.527803 x.x.x.x.53 > 212.109.32.9.53: 12924+ [1au] AAAA? nets.net.pk. (40) 07:26:47.535174 x.x.x.x.53 > 212.109.32.9.53: 23021+ [1au] AAAA? nets.net.pk. (40) 07:26:47.543165 x.x.x.x.53 > 212.109.32.9.53: 42790+ [1au] A? nets.net.pk. (40) 07:26:47.551420 x.x.x.x.53 > 212.109.32.9.53: 22016+ [1au] AAAA? nets.net.pk. (40) 07:26:47.559606 x.x.x.x.53 > 212.109.32.9.53: 34973+ [1au] AAAA? nets.net.pk. (40) 07:26:47.567507 x.x.x.x.53 > 212.109.32.9.53: 1548+ [1au] AAAA? nets.net.pk. (40) 07:26:47.575554 x.x.x.x.53 > 212.109.32.9.53: 47170+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.583591 x.x.x.x.53 > 212.109.32.9.53: 64130+ [1au] AAAA? nets.net.pk. (40) 07:26:47.590856 x.x.x.x.53 > 212.109.32.9.53: 5940+ [1au] AAAA? nets.net.pk. (40) 07:26:47.598734 x.x.x.x.53 > 212.109.32.9.53: 23396+ [1au] AAAA? nets.net.pk. (40) 07:26:47.607422 x.x.x.x.53 > 212.109.32.9.53: 42058+ [1au] AAAA? nets.net.pk. (40) 07:26:47.615186 x.x.x.x.53 > 212.109.32.9.53: 64316+ [1au] AAAA? nets.net.pk. (40) 07:26:47.623431 x.x.x.x.53 > 212.109.32.9.53: 26530+ [1au] A? nets.net.pk. (40) 07:26:47.631047 x.x.x.x.53 > 212.109.32.9.53: 40459+ [1au] AAAA? nets.net.pk. (40) 07:26:47.638964 x.x.x.x.53 > 212.109.32.9.53: 16196+ [1au] AAAA? nets.net.pk. (40) 07:26:47.647043 x.x.x.x.53 > 212.109.32.9.53: 17007+ [1au] AAAA? nets.net.pk. (40) 07:26:47.654921 x.x.x.x.53 > 212.109.32.9.53: 11072+ [1au] A? nets.net.pk. (40) 07:26:47.663050 x.x.x.x.53 > 212.109.32.9.53: 47466+ [1au] AAAA? nets.net.pk. (40) 07:26:47.670925 x.x.x.x.53 > 212.109.32.9.53: 5928+ [1au] A? nets.net.pk. (40) 07:26:47.678804 x.x.x.x.53 > 212.109.32.9.53: 59100+ [1au] AAAA? nets.net.pk. (40) 07:26:47.686734 x.x.x.x.53 > 212.109.32.9.53: 56945+ [1au] AAAA? nets.net.pk. (40) 07:26:47.694702 x.x.x.x.53 > 212.109.32.9.53: 19687+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.702742 x.x.x.x.53 > 212.109.32.9.53: 9431+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.710870 x.x.x.x.53 > 212.109.32.9.53: 8694+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.718747 x.x.x.x.53 > 212.109.32.9.53: 63382+ [1au] AAAA? nets.net.pk. (40) 07:26:47.726188 x.x.x.x.53 > 212.109.32.9.53: 58946+ [1au] AAAA? nets.net.pk. (40) 07:26:47.734546 x.x.x.x.53 > 212.109.32.9.53: 47164+ [1au] A? nets.net.pk. (40) 07:26:47.742372 x.x.x.x.53 > 212.109.32.9.53: 53485+ [1au] PTR? 177.55.6.69.in-addr.arpa. (53) 07:26:47.750558 x.x.x.x.53 > 212.109.32.9.53: 33237+ [1au] PTR? 200.55.6.69.in-addr.arpa. (53) 07:26:47.758730 x.x.x.x.53 > 212.109.32.9.53: 24234+ [1au] AAAA? nets.net.pk. (40) 07:26:47.766006 x.x.x.x.53 > 212.109.32.9.53: 61989+ [1au] A? nets.net.pk. (40) пока не могу придумать чем спасаться от такого -- Dimitry Тpезвость - ноpма загpобной жизни =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message