Author: W B Hacker Date: To: exim users Subject: Re: [exim] DOS attack. What to do?
David Saez Padros wrote:
> Hi !!
>
>
>>It appears we are under a DOS attack. I see a bunch of
>>"refused: too many connections" and people attempting
>>to send email get "421...too many SMTP...". Running
>>"exiwhat" shows a bunch of "handling" lines from many
>>IP addresses (diverse IP addresses). Searching the
>>internet, I could not locate specific solutions to
>>this problem. Can someone out there who has dealt with
>>this provide some advise on how I can proceed to
>>correct this situation? Would Exim4 options such as
>>"sender = verify" make a difference in this situation?
>
>
> from my experience in similar situations what helped in
> having situation under control was examining the logs to
> find common patterns (helo, sender addresses, recipients,
> etc ...) and then build new acl rules to reject that attempts
> as fast as possible, if possible avoiding dns and/or database
> lookups and callouts.
DNS for sure, and RBL sometimes, are faster than you might think.
And both Exim and (most) 'nearest' DNS cache lookup results for long enough to
save a second or subsequent callout.
> In most cases sender addresses are
> addresses that virus found in the infected computer and
> that no longer exists, so something than "deny senders ="
> on top of mail acl could help a lot, also true for commonly
> recipient dictionary attacks to addreses you possibly don't
> have (mary, fred, joe, ...) which you can deny on rcpt > with "deny local_parts = fred:mary:.." wihtout having to
> do a "verify = recipient" (which will take more cpu)
Surely you jest?
Putting multi-brazillons of dictionery-created non-existent local parts into
*any of* an acl (hard-wired) or as a lookup of a local flat file, db/cdb file,
or SQL RDBMS is simply not on, admin-wise and gets slower as it grows.
The number of 'possible' local_parts is well short of aleph-null, but always
several orders of magnitude larger than the number of legitimate local parts, so
verify = recipients is not so slow at the end of the day.
>
> Also a cdb local blacklist rejecting at smtp connect and
> built based on other acl rules rejections help a lot.
>
'Yes but' - put only the worst of chronic offenders in it so it is rapidly
traversed and more likely to justify the lookup time than a massive list.
> As W B Hacker psoted is important to tweak exim load control
> parameters to avoid that all the server gets down when this
> happens.
>