Dictionary Attacks

Tue Oct 24 21:44:33 IST 2006

At 03:29 PM 10/24/2006, you wrote:

>dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM:
> > At 02:41 PM 10/24/2006, you wrote:
> >
> >> You may want to use iptables (or whatever your firewall uses) to
> >> rate-limit incoming connections.
> >>
> >> Although you are probably under attack by a spam zombie army, I'm sure
> >> some of those connections must be coming from repeated IPs. Set it so
> >> that no more than, say, 4 connections in the last 60 seconds can come
> >> in to your smtp port from the same ip address. Legit servers will
> >> probably not be affected, but spam zombies will have a hard time
> >> getting to you.
> >>
> >> something like:
> >>
> >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> >> recent --set
> >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> >> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix
> >> "RATELIMIT: "
> >> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
> >> recent --update --seconds 60 --hitcount 4 -j DROP
> >>
> >> for example...
> >>
> >> Martin Hepworth escribió:
> >>> DAve wrote:
> >>>> I spoke to soon last week. Staring Friday we came under a heavy old
> >>>> fashioned dictionary attack. Each day from noon until 4pm EDT.
> >>>>
> >>>> The IPs are so widely scattered it seems it would do no good to
> >>>> track them. Right now milter-grey is consuming over 50% of my CPUs.
> >>>> If it follows the same course as the prior days, about the time the
> >>>> attack on one server starts to ease up it will increase on the next
> >>>> server.
> >>>>
> >>>> Milter-ahead is dealing with the connections that return. It could
> >>>> turn into a DOS with a few thousand more connections. Funny but
> >>>> there are so many connections for non-existant accounts that my load
> >>>> has fallen nearly to the floor. There is no traffic for MailScanner
> >>>> to operate on, the server is so dang busy telling zombies to go away.
> >>>>
> >>>> There has to be a better way to make a living than this 8^(
> >>>>
> >>>> DAve
> >>> Dave
> >>>
> >>> if you've paid for milter-ahead shouldn't it merely reject rctp-to
> >>> that don't exist????
> >>>
> >>> Or is it the sheer number of connections that are killing you?
> >
> > All very good advice.. I don't know if the milter-ahead will work. I
> > know that the iptables advice will not.. but only because the dictionary
> > attacks that I am seeing are almost PERFECTLY distributed. It is a bot
> > army attacking with IP addresses maybe repeating twice in hundreds of
> > tries.
> >
> > I've been watching them with paralysis since late last week. Can't
> > figure anything to throw at them that wouldn't trip some of my outside
> > users.
> >
> > They are attacking a domain with five users and aren't going to get much
> > ;>).
> >
> > Cheers!
>Are you using ratecontrol in sendmail?
>http://www.technoids.org/dossed.html
>You can let in people you know easily, and slow down the rest of the world.

Thanks Scott! That gave me the ammo I was looking 
for. Yes, I did have most of that implemented; 
just not very well after revisiting it.

Now to implement this before they start poking at 
a domain that will really count!

Cheers! 