Dictionary Attacks

Tue Oct 24 22:29:12 IST 2006

DAve spake the following on 10/24/2006 1:08 PM:
> Scott Silva wrote:
>> dnsadmin 1bigthink.com spake the following on 10/24/2006 12:06 PM:
>>> At 02:41 PM 10/24/2006, you wrote:
>>>
>>>> You may want to use iptables (or whatever your firewall uses) to
>>>> rate-limit incoming connections.
>>>>
>>>> Although you are probably under attack by a spam zombie army, I'm sure
>>>> some of those connections must be coming from repeated IPs. Set it so
>>>> that no more than, say, 4 connections in the last 60 seconds can come
>>>> in to your smtp port from the same ip address. Legit servers will
>>>> probably not be affected, but spam zombies will have a hard time
>>>> getting to you.
>>>>
>>>> something like:
>>>>
>>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>>>> recent --set
>>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>>>> recent --update --seconds 60 --hitcount 4 -j LOG --log-prefix
>>>> "RATELIMIT: "
>>>> iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m
>>>> recent --update --seconds 60 --hitcount 4 -j DROP
>>>>
>>>> for example...
>>>>
>>>> Martin Hepworth escribió:
>>>>> DAve wrote:
>>>>>> I spoke to soon last week. Staring Friday we came under a heavy old
>>>>>> fashioned dictionary attack. Each day from noon until 4pm EDT.
>>>>>>
>>>>>> The IPs are so widely scattered it seems it would do no good to
>>>>>> track them. Right now milter-grey is consuming over 50% of my CPUs.
>>>>>> If it follows the same course as the prior days, about the time the
>>>>>> attack on one server starts to ease up it will increase on the next
>>>>>> server.
>>>>>>
>>>>>> Milter-ahead is dealing with the connections that return. It could
>>>>>> turn into a DOS with a few thousand more connections. Funny but
>>>>>> there are so many connections for non-existant accounts that my load
>>>>>> has fallen nearly to the floor. There is no traffic for MailScanner
>>>>>> to operate on, the server is so dang busy telling zombies to go away.
>>>>>>
>>>>>> There has to be a better way to make a living than this 8^(
>>>>>>
>>>>>> DAve
>>>>> Dave
>>>>>
>>>>> if you've paid for milter-ahead shouldn't it merely reject rctp-to
>>>>> that don't exist????
>>>>>
>>>>> Or is it the sheer number of connections that are killing you?
>>> All very good advice.. I don't know if the milter-ahead will work. I
>>> know that the iptables advice will not.. but only because the dictionary
>>> attacks that I am seeing are almost PERFECTLY distributed. It is a bot
>>> army attacking with IP addresses maybe repeating twice in hundreds of
>>> tries.
>>>
>>> I've been watching them with paralysis since late last week. Can't
>>> figure anything to throw at them that wouldn't trip some of my outside
>>> users.
>>>
>>> They are attacking a domain with five users and aren't going to get much
>>> ;>).
>>>
>>> Cheers!
>> Are you using ratecontrol in sendmail?
>> http://www.technoids.org/dossed.html
>> You can let in people you know easily, and slow down the rest of the
>> world.
>>
>>
> 
> Same here, the IP addresses are all over the map and nearly never a
> connection from the same IP. That may be Greylisting's fault though
> keeping them at bay, and not allowing me to see a trend.
> 
> Two of the servers are due for upgrades very soon and do not have some
> of the better features of the newest Sendmail. We are beating them back,
> but I would prefer to not have to battle this every week.
> 
> Right now, today, I would get on board a Spamming = Capitol Punishment
> platform. If it were anything else, bullhorn over a fence, running into
> traffic with a sign, dumping a million pamphlets into a Super Bowl from
> the air, they would be arrested.
> 
> I need a drink.
> 
> DAve
> 
Instead they ( the evil spammers) sue the people intent on stopping them, and
anybody even slightly connected.
I think I'll join you in needing a drink!

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!