Re: [exim] DOS attack. What to do?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMGururajan Ramachandran at <-
MMEric Kuzniar at ->
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] DOS attack. What to do?
Gururajan Ramachandran wrote:

> Hello,
>
> It appears we are under a DOS attack. I see a bunch of
> "refused: too many connections" and people attempting
> to send email get "421...too many SMTP...". Running
> "exiwhat" shows a bunch of "handling" lines from many
> IP addresses (diverse IP addresses). Searching the
> internet, I could not locate specific solutions to
> this problem. Can someone out there who has dealt with
> this provide some advise on how I can proceed to
> correct this situation? Would Exim4 options such as
> "sender = verify" make a difference in this situation?

No, but 'require verify = recipient' might help.

This *class* of setting may solve the immediate problem, but beware that the
specific numbers may be contradictory, abnormal, wrong for your box, or all of
the above, as they are probably not even optimal for mine (OTOH, they do seem to
work..)!

;-)


pipelining_advertise_hosts = :
(no piplelining accepted) 

smtp_enforce_sync                = true


smtp_accept_max_nonmail_hosts    = 10
smtp_accept_max_nonmail          = 10
smtp_accept_max                  = 200
smtp_accept_max_per_connection   = 20
smtp_accept_max_per_host         = 10
smtp_accept_queue_per_connection = 20
smtp_load_reserve                = 10
smtp_connect_backlog             = 50
smtp_receive_timeout             = 8m
smtp_reserve_hosts               = < a ":" separated list of good guys>


queue_run_max                    = 400
queue_only                       = <see below>


'true' can cut the time a child process runs, but there is more to it. See the
docs.

Longer term:

You are probably being hit from a zombie farm that uses *many* IP, but
relatively fewer forged hostnames and HELO. Sometimes a local BL is handy.

Odds are these will be failing rNDS / forward/reverse lookup, forging HELO,
sending to recipients that do not exist, trying to pipeline when you do not
offer it, and other rude behaviour.

Use some combination of Exim's tests for these, apply as little as a 30 second
delay to put the monkey on *their* back, and most such will abandon the
connection on their own and seek their next target.

Other tools:

'nice' the Exim daemon to a low priority when you start it if the overall load
is giving you trouble ssh'ing in to control the box.

HTH,

Bill



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] DOS attack. What to do?Re: [exim] DOS attack. What to do?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)