Brian Somers <bsom...@opendns.com> wrote: > Hi folks, Hi Brian! > However, during the attack, we also saw a huge number of TCP > sockets in > TIME_WAIT talking to root servers (probably all root servers). I’m > curious if > > 1.Are root servers doing some sort of tar pitting where they send a TC > and then firewall port 53? This TIME_WAIT problem is a normal consequence of making lots of short- lived TCP connections for which you initiated the close, i.e. a tragic mismatch between what a recursive DNS resolver needs and what TCP provides. The standard TIME_WAIT period is huge compared to typical segment lifetimes. You can reduce it using sysctl on FreeBSD but not Linux. Linux instead has a couple of options to recycle TIME_WAIT sockets, one of which is (IME) ineffective in this kind of situation, and the other is reportedly unsafe. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn-- zr8h punycode
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop