Maintained by: NLnet Labs

[Unbound-users] unbound vs fast flux botnets?

W.C.A. Wijngaards
Mon Sep 6 11:09:21 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Felix,

On 08/31/2010 10:47 AM, Felix Schueren wrote:
> I'm curious as to whether this is a DoS scenario for unbound:
> 227  ANY IN ecfdabgfea.trassae95.com. 105.531254 iterator wait for
> (empty_list)

The empty_list output line is fixed in recent unbound releases, so if
you update the output of dump_requestlist is neater (and shows what it
is really doing: wait for name lookup).

> Could this (with enough zombies) explain a sudden rise in
> waiting/dropped requests? Is there anything I can do to protect unbound
> against this?

Potentially, in recent release also a fix to protection against rise in
waiting/dropped requests is made.  Then, new requests are favored and
old ones (older than 'jostle timeout', 200msec) are dropped to make
space for them.  The stuff from your greps is then looked up when there
is leisure time.  The jostle-timeout feature has been present for a long
time, and should work fine also in older versions (for this particular
rise in request load).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyEr8EACgkQkDLqNwOhpPgUJwCgszqNrDdgJgoAzrIp7IXwwKYb
1+IAn0RihIHyhGQsOS5+ptSb4+0Z7yha
=/o5g
-----END PGP SIGNATURE-----