Re: [exim] DOS attack. What to do?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MDavid Saez Padros at <-
MDavid Saez Padros at ->
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] DOS attack. What to do?
David Saez Padros wrote:

> Hi !!
>
>
>>It appears we are under a DOS attack. I see a bunch of
>>"refused: too many connections" and people attempting
>>to send email get "421...too many SMTP...". Running
>>"exiwhat" shows a bunch of "handling" lines from many
>>IP addresses (diverse IP addresses). Searching the
>>internet, I could not locate specific solutions to
>>this problem. Can someone out there who has dealt with
>>this provide some advise on how I can proceed to
>>correct this situation? Would Exim4 options such as
>>"sender = verify" make a difference in this situation?
>
>
> from my experience in similar situations what helped in
> having situation under control was examining the logs to
> find common patterns (helo, sender addresses, recipients,
> etc ...) and then build new acl rules to reject that attempts
> as fast as possible, if possible avoiding dns and/or database
> lookups and callouts.

DNS for sure, and RBL sometimes, are faster than you might think.

And both Exim and (most) 'nearest' DNS cache lookup results for long enough to
save a second or subsequent callout.

> In most cases sender addresses are
> addresses that virus found in the infected computer and
> that no longer exists, so something than "deny senders ="
> on top of mail acl could help a lot, also true for commonly
> recipient dictionary attacks to addreses you possibly don't
> have (mary, fred, joe, ...) which you can deny on rcpt

> with "deny local_parts = fred:mary:.." wihtout having to
> do a "verify = recipient" (which will take more cpu)

Surely you jest?

Putting multi-brazillons of dictionery-created non-existent local parts into
*any of* an acl (hard-wired) or as a lookup of a local flat file, db/cdb file,
or SQL RDBMS is simply not on, admin-wise and gets slower as it grows.

The number of 'possible' local_parts is well short of aleph-null, but always
several orders of magnitude larger than the number of legitimate local parts, so
verify = recipients is not so slow at the end of the day.

>
> Also a cdb local blacklist rejecting at smtp connect and
> built based on other acl rules rejections help a lot.
>

'Yes but' - put only the worst of chronic offenders in it so it is rapidly
traversed and more likely to justify the lookup time than a massive list.

> As W B Hacker psoted is important to tweak exim load control
> parameters to avoid that all the server gets down when this
> happens.
>

Bill



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Doing recipient verification earlier in the default configRe: [exim] DOS attack. What to do?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)