Dictionary Attacks

Tue Oct 24 20:29:19 IST 2006

dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM:
> At 02:41 PM 10/24/2006, you wrote:
> 
>> You may want to use iptables (or whatever your firewall uses) to
>> rate-limit incoming connections.
>>
>> Although you are probably under attack by a spam zombie army, I'm sure
>> some of those connections must be coming from repeated IPs. Set it so
>> that no more than, say, 4 connections in the last 60 seconds can come
>> in to your smtp port from the same ip address. Legit servers will
>> probably not be affected, but spam zombies will have a hard time
>> getting to you.
>>
>> something like:
>>
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --set
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix
>> "RATELIMIT: "
>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>> recent --update --seconds 60 --hitcount 4 -j DROP
>>
>> for example...
>>
>> Martin Hepworth escribió:
>>> DAve wrote:
>>>> I spoke to soon last week. Staring Friday we came under a heavy old
>>>> fashioned dictionary attack. Each day from noon until 4pm EDT.
>>>>
>>>> The IPs are so widely scattered it seems it would do no good to
>>>> track them. Right now milter-grey is consuming over 50% of my CPUs.
>>>> If it follows the same course as the prior days, about the time the
>>>> attack on one server starts to ease up it will increase on the next
>>>> server.
>>>>
>>>> Milter-ahead is dealing with the connections that return. It could
>>>> turn into a DOS with a few thousand more connections. Funny but
>>>> there are so many connections for non-existant accounts that my load
>>>> has fallen nearly to the floor. There is no traffic for MailScanner
>>>> to operate on, the server is so dang busy telling zombies to go away.
>>>>
>>>> There has to be a better way to make a living than this 8^(
>>>>
>>>> DAve
>>> Dave
>>>
>>> if you've paid for milter-ahead shouldn't it merely reject rctp-to
>>> that don't exist????
>>>
>>> Or is it the sheer number of connections that are killing you?
> 
> All very good advice.. I don't know if the milter-ahead will work. I
> know that the iptables advice will not.. but only because the dictionary
> attacks that I am seeing are almost PERFECTLY distributed. It is a bot
> army attacking with IP addresses maybe repeating twice in hundreds of
> tries.
> 
> I've been watching them with paralysis since late last week. Can't
> figure anything to throw at them that wouldn't trip some of my outside
> users.
> 
> They are attacking a domain with five users and aren't going to get much
> ;>).
> 
> Cheers!
Are you using ratecontrol in sendmail?
http://www.technoids.org/dossed.html
You can let in people you know easily, and slow down the rest of the world.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!