Author: Anoop John Date: To: exim-users Subject: Re: [exim] DDOS on SMTP port by large number of new connections
from random IPs
Thanks Marius, Scott Neader, Wolfgang Breyha, Xander Harkness for looking
into this and sending your recommendations and suggestions. We implemented
both suggestions.
We set smtp_accept_max_per_host to 4. We also set up PTR record check on
incoming connections. For those that do not have reverse DNS set up the
connection to port 25 is being established first before the reverse DNS
check is used and the connection closed so there are still connections
getting established from IPs without reverse DNS set up.
We have increased the maximum number of simultaneous connections to 200 and
with the PTR check in place this has now opened up more connections for
valid mail servers and we are now able to get incoming mails to the server.
The attack is still going on though. In 5 hours so far today there has been
more than 620,000 connection requests from 7200+ different IPs.
The server does not seem to have the required kernel modules to enable
tarpitting and the server support has communicated that protecting against
DDOS is not within their capability levels and that I should explore
commercial DDOS protection mechanisms. I explored a bit but found most to
be very expensive compared to the hosting plan.
Not sure how to take things forward from here. Thanks once again for your
suggestions.
