Re: [exim] Preventing exim DoS attacks

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Christian Recktenwald
Ημερομηνία:  
Προς: Jasen Betts
Υ/ο: exim-users
Αντικείμενο: Re: [exim] Preventing exim DoS attacks
On Tue, Jun 09, 2015 at 11:37:37AM +0000, Jasen Betts wrote:
> On 2015-06-09, soumya tr <soumya.324@???> wrote:
> > Hi,
> >
> > Any one have tips on preventing DoS attacks on port 25?


What you can do to be prepared:
- use a well connected (1Gbit) root server for your incoming MX so attackers might find
it difficult to saturate the uplink.
- use systems with _lots_ of RAM. SSDs may help with the spool directory.
- replace those systems on a regular basis as the big iron of today will be the lame duck
two years ahead.
- use multiple MX servers at different hosters to distribute the load. Be aware that you
have to find some way to distibute acceptable local part lists to them.
Static (fallback) lists are preferred as dynamic lists (LDAP, ...) will increase the load.
- Dispatch spam and virus scanners to separate machines to distribute load.
- Use packet filtering to block IP ranges from countries you and your users
might never have to communicate with perhaps not even speak the language.
- consider using null routing (routing malicious IPs to your loopback device) instead
of packet filtering as it might be faster.
- use geoip services to implement country based block lists with exim.
- combine things: use packet filtering and block lists to only allow delivery
from aggressive sites to (a) special MX server(s) so the "good" guys
might have to suffer less from the attack.
- if your OS provides it, try SYN-Cookies

And, as usual: not everything of this is applicable for everyone, but
everything you can implement will help.

> It's basically impossible to prevent the attack, unless youre prepared
> to unplug the network: You have to harden the target instead:
>
> Optimise the email rejection path. Install a dns cache. Teergrube.
> If it's a distributed DoS consider an adaptive firewall like fail2ban.
>
> port 25 is a big target, abd exim is highly configurable.
> many attacks need attention on a case by case basis.


that's for sure.

-- 
Christian Recktenwald      
exim-users-dist@???