From owner-freebsd-questions@FreeBSD.ORG  Mon Dec  7 14:55:28 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4E25B106568F
	for <freebsd-questions@freebsd.org>;
	Mon,  7 Dec 2009 14:55:28 +0000 (UTC) (envelope-from paul@ifdnrg.com)
Received: from ifdnrg18.ifdnrg.com (roaming.ifdnrg.com [193.200.98.57])
	by mx1.freebsd.org (Postfix) with ESMTP id CF4AF8FC19
	for <freebsd-questions@freebsd.org>;
	Mon,  7 Dec 2009 14:55:27 +0000 (UTC)
Received: from [192.168.1.119] (87-194-184-71.bethere.co.uk [87.194.184.71])
	(authenticated bits=0)
	by ifdnrg18.ifdnrg.com (8.14.3/8.13.8) with ESMTP id nB7EMnlw084942
	for <freebsd-questions@freebsd.org>; Mon, 7 Dec 2009 14:22:49 GMT
	(envelope-from paul@ifdnrg.com)
Message-ID: <4B1D0FAE.1090107@ifdnrg.com>
Date: Mon, 07 Dec 2009 14:22:38 +0000
From: Paul Macdonald <paul@ifdnrg.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	SPF_FAIL autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ifdnrg18.ifdnrg.com
Subject: ipfw + DDOS
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2009 14:55:28 -0000


Hi,

I have a nameserver that occassinally gets blitzed for a few minutes by a high number of dynamic and changing IP's.

The nameserver doesn't give recursive lookups but 500,000 denied requests over 5-10 mins still hurts a bit.

I use ipfw and had thought that rate limiting connections on the incoming port would help but I'm not sure if this is my best option.  

I've been doing some testing as part of the problem is generating enough traffic to simulate, but then i start to see dynamic ipfw rules kick in and i see very little in the named logs.

Any advice appreciated.
thanks
Paul

--