Dictionary Attacks

[DAve]

Scott Silva wrote:
> dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM:
>> At 02:41 PM 10/24/2006, you wrote:
>>
>>> You may want to use iptables (or whatever your firewall uses) to
>>> rate-limit incoming connections.
>>>
>>> Although you are probably under attack by a spam zombie army, I'm sure
>>> some of those connections must be coming from repeated IPs. Set it so
>>> that no more than, say, 4 connections in the last 60 seconds can come
>>> in to your smtp port from the same ip address. Legit servers will
>>> probably not be affected, but spam zombies will have a hard time
>>> getting to you.
>>>
>>> something like:
>>>
>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>>> recent --set
>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>>> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix
>>> "RATELIMIT: "
>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>>> recent --update --seconds 60 --hitcount 4 -j DROP
>>>
>>> for example...
>>>
>>> Martin Hepworth escribió:
>>>> DAve wrote:
>>>>> I spoke to soon last week. Staring Friday we came under a heavy old
>>>>> fashioned dictionary attack. Each day from noon until 4pm EDT.
>>>>>
>>>>> The IPs are so widely scattered it seems it would do no good to
>>>>> track them. Right now milter-grey is consuming over 50% of my CPUs.
>>>>> If it follows the same course as the prior days, about the time the
>>>>> attack on one server starts to ease up it will increase on the next
>>>>> server.
>>>>>
>>>>> Milter-ahead is dealing with the connections that return. It could
>>>>> turn into a DOS with a few thousand more connections. Funny but
>>>>> there are so many connections for non-existant accounts that my load
>>>>> has fallen nearly to the floor. There is no traffic for MailScanner
>>>>> to operate on, the server is so dang busy telling zombies to go away.
>>>>>
>>>>> There has to be a better way to make a living than this 8^(
>>>>>
>>>>> DAve
>>>> Dave
>>>>
>>>> if you've paid for milter-ahead shouldn't it merely reject rctp-to
>>>> that don't exist????
>>>>
>>>> Or is it the sheer number of connections that are killing you?
>> All very good advice.. I don't know if the milter-ahead will work. I
>> know that the iptables advice will not.. but only because the dictionary
>> attacks that I am seeing are almost PERFECTLY distributed. It is a bot
>> army attacking with IP addresses maybe repeating twice in hundreds of
>> tries.
>>
>> I've been watching them with paralysis since late last week. Can't
>> figure anything to throw at them that wouldn't trip some of my outside
>> users.
>>
>> They are attacking a domain with five users and aren't going to get much
>> ;>).
>>
>> Cheers!
> Are you using ratecontrol in sendmail?
> http://www.technoids.org/dossed.html
> You can let in people you know easily, and slow down the rest of the world.
> 
> 

Same here, the IP addresses are all over the map and nearly never a 
connection from the same IP. That may be Greylisting's fault though 
keeping them at bay, and not allowing me to see a trend.

Two of the servers are due for upgrades very soon and do not have some 
of the better features of the newest Sendmail. We are beating them back, 
but I would prefer to not have to battle this every week.

Right now, today, I would get on board a Spamming = Capitol Punishment 
platform. If it were anything else, bullhorn over a fence, running into 
traffic with a sign, dumping a million pamphlets into a Super Bowl from 
the air, they would be arrested.

I need a drink.

DAve

-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.