Re: [exim] DDOS on SMTP port by large number of new connecti…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Anoop John at <-
MM 
Delete this message
Reply to this message
Author: Terry
Date:  
To: exim-users
Subject: Re: [exim] DDOS on SMTP port by large number of new connections from random IPs
Hi Anoop,

On 28/10/2014 03:29, Anoop John wrote:
> Thanks Marius, Scott Neader, Wolfgang Breyha, Xander Harkness for looking
> into this and sending your recommendations and suggestions. We implemented
> both suggestions.
>
> We set smtp_accept_max_per_host to 4. We also set up PTR record check on
> incoming connections. For those that do not have reverse DNS set up the
> connection to port 25 is being established first before the reverse DNS
> check is used and the connection closed so there are still connections
> getting established from IPs without reverse DNS set up.
>
> We have increased the maximum number of simultaneous connections to 200 and
> with the PTR check in place this has now opened up more connections for
> valid mail servers and we are now able to get incoming mails to the server.
>
> The attack is still going on though. In 5 hours so far today there has been
> more than 620,000 connection requests from 7200+ different IPs.
>
> The server does not seem to have the required kernel modules to enable
> tarpitting and the server support has communicated that protecting against
> DDOS is not within their capability levels and that I should explore
> commercial DDOS protection mechanisms. I explored a bit but found most to
> be very expensive compared to the hosting plan.
>
> Not sure how to take things forward from here. Thanks once again for your
> suggestions.

I use ConfigServer Firewall (CSF) in conjunction with Exim and a couple
of ACLs. It works a treat and has really cut down on the number of
connections from those "no reverse DNS" IPs by about 75%. YMMV
http://www.configserver.com/cp/csf.html

CSF can use blocklists, like Spamhaus DROP and EDROP, right out of the
box. It also has per IP and per port connection flooding detection and
mitigation to help block DOS attacks.

CSF's daemon is LFD which can monitor logs for certain patterns and
initiates blocks if those patterns are found. I've written some custom
regexes to match my ACL's log message and LFD will initiate a temporary
block on those.

If you have any questions about CSF, please feel free to contact me off
list. I'm no expert, but I may be able to point you in the right
direction with CSF.

--
Terry

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] POODLE advisory from exim-announce[exim] How do I find out whether Exim is using OpenSSL or GnuTLS?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)