Dictionary Attacks

[Alex Neuman]

You may want to use iptables (or whatever your firewall uses) to 
rate-limit incoming connections.

Although you are probably under attack by a spam zombie army, I'm sure 
some of those connections must be coming from repeated IPs. Set it so 
that no more than, say, 4 connections in the last 60 seconds can come in 
to your smtp port from the same ip address. Legit servers will probably 
not be affected, but spam zombies will have a hard time getting to you.

something like:

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m 
recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix "RATELIMIT: "
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 4 -j DROP

for example...

Martin Hepworth escribió:
> DAve wrote:
>> I spoke to soon last week. Staring Friday we came under a heavy old 
>> fashioned dictionary attack. Each day from noon until 4pm EDT.
>>
>> The IPs are so widely scattered it seems it would do no good to track 
>> them. Right now milter-grey is consuming over 50% of my CPUs. If it 
>> follows the same course as the prior days, about the time the attack 
>> on one server starts to ease up it will increase on the next server.
>>
>> Milter-ahead is dealing with the connections that return. It could 
>> turn into a DOS with a few thousand more connections. Funny but there 
>> are so many connections for non-existant accounts that my load has 
>> fallen nearly to the floor. There is no traffic for MailScanner to 
>> operate on, the server is so dang busy telling zombies to go away.
>>
>> There has to be a better way to make a living than this 8^(
>>
>> DAve
>>
> Dave
>
> if you've paid for milter-ahead shouldn't it merely reject rctp-to 
> that don't exist????
>
> Or is it the sheer number of connections that are killing you?
>