Autor: Alun Datum: To: exim-users Betreff: [Exim] DOS problem (?)
--
Dear all,
As of Monday, we have (finally!) been running Exim 4. I have to say I'm well
impressed with the ACL stuff - a lot of the hacks we had to do cunning stuff
under Exim 3 have just turned into simple ACL rules. Neat!
However...
Yesterday afternoon, we were hit hard by a single machine trying to
establish connections at the rate of around 22 per second sustained. I
already had:
2003-09-04 14:45:13 Connection from XXX.XXX.XX.X refused: too many connections
Despite the above settings, external mail from other sources was cut off by
this, also being refused on the basis of "too many connections". I'm at a
bit of a loss to tell why a single machine was able to do this. The servers
are dual processor 2.8GHz Xeons with 2GBytes of memory each, so it seems
unlikely that accepting and deferring each connection took long enough for
200 "on their way out" connections to exist at any point.
The attack stopped at 9am today, so I assume that some poor sysadmin is now
picking up the tattered remains of their network.
Does anyone have any advice what I can do (within exim) to protect myself
against this in future. If I can't do it in exim, I know I can do it with a
little bit of packet sniffing to auto-generate firewall rules, but I'd
rather not have to do that!
Cheers,
Alun.
--
[ Content of type application/pgp-signature deleted ]
--