Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsdist: Ponder dynamically blocking clients sending malformed packets #15022

Open
rgacogne opened this issue Jan 9, 2025 · 0 comments
Open

dnsdist: Ponder dynamically blocking clients sending malformed packets #15022

rgacogne opened this issue Jan 9, 2025 · 0 comments
Labels
dnsdist feature request
Milestone
dnsdist-2.0.0

Comments

@rgacogne
Copy link
Member

rgacogne commented Jan 9, 2025

  • Program: dnsdist
  • Issue type: Feature request

Short description

At the moment a malformed packet does not make it to the in-memory ring-buffers, and thus we do not keep any data about them. It might make sense to keep track of these (in a separate ring buffer?) and add a new dynamic block rule to temporary block clients sending too many malformed packets.

Usecase

We have seen DDoS attacks sending malformed packets. DNSdist throws them away very quickly, but blocking the offending clients at eBPF level would be even better.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dnsdist feature request
Projects
None yet
Milestone
dnsdist-2.0.0
Development

No branches or pull requests
1 participant
@rgacogne