Re: [exim] Help with AUTH DDOS

On Thu, Jun 27, 2019 at 12:12:04AM -0700, mixed8e--- via Exim-users wrote:
> However, it appears that the number of connections is very reasonable.
> Does Exim have a reporting mechanism where I can get connection stats?

With config option "log_selector=+all" lines like

SMTP connection from [78.108.69.2]:48469 I=[192.168.10.12]:25 (TCP/IP
connection count = 157)

are written into mainlog.

> I get different numbers from ss, netstat, lsof, /proc/net/sockstat,
> /proc/net/tcp, and whatever else I've tried. Some of the numbers are not
> very similar, so I don't know what to look for. Everything except some of
> the `ss -s`numbers makes it look as though the connection count to Exim is
> quite small.

Probably not all these sources are interpreted right. Say, /proc/net/tcp
countains raw entries which are not human-readable, they should be
filtered by port numbers and by flags: some connections are in ESTABLISHED
state, some in SYN-SENT or SYN-ACK, some in TIME_WAIT, and so on.

Number of incoming connections may be estimated as number of Exim's child
processes under listening daemon (excluding active queue runners).

> Could the slowness be the firewall so busy with the large volume of
> attempted connections even though most are dropped? `uptime` shows a
> fairly light load on the system, not too much wait (though it does pop up
> once in a while over 20% it's mostly under 10%). The only flaw with that
> idea, why would SMTP service be particularly affected more than other
> services?

First of all you have to check memory utilization. If your system falls
into swapping then CPU speed does not matter. The second step should be
check for DNS operation and /etc/resolv.conf contents.
--
Eugene Berdnikov