[Exim] DOS problem (?)

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Alun
Datum:  
To: exim-users
Betreff: [Exim] DOS problem (?)
--

Dear all,

As of Monday, we have (finally!) been running Exim 4. I have to say I'm well
impressed with the ACL stuff - a lot of the hacks we had to do cunning stuff
under Exim 3 have just turned into simple ACL rules. Neat!

However...

Yesterday afternoon, we were hit hard by a single machine trying to
establish connections at the rate of around 22 per second sustained. I
already had:

smtp_accept_max = 200
smtp_accept_max_per_host = 10

and it appeared to be working to some degree:

2003-09-04 14:45:13 Connection from XXX.XXX.XX.X refused: too many connections

Despite the above settings, external mail from other sources was cut off by
this, also being refused on the basis of "too many connections". I'm at a
bit of a loss to tell why a single machine was able to do this. The servers
are dual processor 2.8GHz Xeons with 2GBytes of memory each, so it seems
unlikely that accepting and deferring each connection took long enough for
200 "on their way out" connections to exist at any point.

The attack stopped at 9am today, so I assume that some poor sysadmin is now
picking up the tattered remains of their network.

Does anyone have any advice what I can do (within exim) to protect myself
against this in future. If I can't do it in exim, I know I can do it with a
little bit of packet sniffing to auto-generate firewall rules, but I'd
rather not have to do that!

Cheers,
Alun.


--
[ Content of type application/pgp-signature deleted ]
--