Dictionary Attacks

dnsadmin 1bigthink.com dnsadmin at 1bigthink.com
Tue Oct 24 20:06:18 IST 2006 

At 02:41 PM 10/24/2006, you wrote:

>You may want to use iptables (or whatever your 
>firewall uses) to rate-limit incoming connections.
>
>Although you are probably under attack by a spam 
>zombie army, I'm sure some of those connections 
>must be coming from repeated IPs. Set it so that 
>no more than, say, 4 connections in the last 60 
>seconds can come in to your smtp port from the 
>same ip address. Legit servers will probably not 
>be affected, but spam zombies will have a hard time getting to you.
>
>something like:
>
>iptables -I INPUT -p tcp --dport 25 -i eth0 -m 
>state --state NEW -m recent --set
>iptables -I INPUT -p tcp --dport 25 -i eth0 -m 
>state --state NEW -m recent --update --seconds 
>60 --hitcount 4 -j LOG --log-prefix "RATELIMIT: "
>iptables -I INPUT -p tcp --dport 25 -i eth0 -m 
>state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
>
>for example...
>
>Martin Hepworth escribió:
>>DAve wrote:
>>>I spoke to soon last week. Staring Friday we 
>>>came under a heavy old fashioned dictionary 
>>>attack. Each day from noon until 4pm EDT.
>>>
>>>The IPs are so widely scattered it seems it 
>>>would do no good to track them. Right now 
>>>milter-grey is consuming over 50% of my CPUs. 
>>>If it follows the same course as the prior 
>>>days, about the time the attack on one server 
>>>starts to ease up it will increase on the next server.
>>>
>>>Milter-ahead is dealing with the connections 
>>>that return. It could turn into a DOS with a 
>>>few thousand more connections. Funny but there 
>>>are so many connections for non-existant 
>>>accounts that my load has fallen nearly to the 
>>>floor. There is no traffic for MailScanner to 
>>>operate on, the server is so dang busy telling zombies to go away.
>>>
>>>There has to be a better way to make a living than this 8^(
>>>
>>>DAve
>>Dave
>>
>>if you've paid for milter-ahead shouldn't it 
>>merely reject rctp-to that don't exist????
>>
>>Or is it the sheer number of connections that are killing you?

All very good advice.. I don't know if the 
milter-ahead will work. I know that the iptables 
advice will not.. but only because the dictionary 
attacks that I am seeing are almost PERFECTLY 
distributed. It is a bot army attacking with IP 
addresses maybe repeating twice in hundreds of tries.

I've been watching them with paralysis since late 
last week. Can't figure anything to throw at them 
that wouldn't trip some of my outside users.

They are attacking a domain with five users and aren't going to get much ;>).

Cheers!

More information about the MailScanner mailing list