Re: [exim] DOS attack. What to do?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: David Saez Padros
Date:  
À: Gururajan Ramachandran
CC: exim-users
Sujet: Re: [exim] DOS attack. What to do?
Hi !!

> It appears we are under a DOS attack. I see a bunch of
> "refused: too many connections" and people attempting
> to send email get "421...too many SMTP...". Running
> "exiwhat" shows a bunch of "handling" lines from many
> IP addresses (diverse IP addresses). Searching the
> internet, I could not locate specific solutions to
> this problem. Can someone out there who has dealt with
> this provide some advise on how I can proceed to
> correct this situation? Would Exim4 options such as
> "sender = verify" make a difference in this situation?


from my experience in similar situations what helped in
having situation under control was examining the logs to
find common patterns (helo, sender addresses, recipients,
etc ...) and then build new acl rules to reject that attempts
as fast as possible, if possible avoiding dns and/or database
lookups and callouts. In most cases sender addresses are
addresses that virus found in the infected computer and
that no longer exists, so something than "deny senders ="
on top of mail acl could help a lot, also true for commonly
recipient dictionary attacks to addreses you possibly don't
have (mary, fred, joe, ...) which you can deny on rcpt
with "deny local_parts = fred:mary:.." wihtout having to
do a "verify = recipient" (which will take more cpu)

Also a cdb local blacklist rejecting at smtp connect and
built based on other acl rules rejections help a lot.

As W B Hacker psoted is important to tweak exim load control
parameters to avoid that all the server gets down when this
happens.

--
Best regards ...

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  david@???
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------