[exim] smtp_accept_max & DDoS

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MM 
MMLena--- via Exim-users at ->
Delete this message
Reply to this message
Author: Slavko
Date:  
To: exim ML
New-Topics: [exim] CIENTID - Re: smtp_accept_max & DDoS
Subject: [exim] smtp_accept_max & DDoS
Hi,

i wonder about DDoS, i will try explain why in more descriptive,
please aproximate my English...

I have separate MSA exim, it autentificates users against dovecot
and i use dovecot's Auth Policy daemon to do some checks before
ligin itself.

I am facing many login attempts (attacks) from ~100-200 different
IPs daily, without any pattern in country/ASN/IP block. Most of them
is properly identified by mentioned Auth Policy daemon, which
prevents to real login. The dovecot shows in its logs something as
"drop connection". That all works as excpected when IMAP login
attempts happens.

The problem is in exim. It gets (logs) "authenticator failed ..." line,
that line contains "535 Incorrect authentication data ..." too. Then
it responds that (i guess) to client, which never responds. The
connection is then hold open, until timeout happens (in my case
i lowered it to 60 sec). As attackers does that login attempts in
waves 10-15 IPs in short time, here are multiple connections
openned until timeout happens.

They repeats login from the same IP only after relative long time
(in days), thus blocking in FW doesn't solves that. I have some
thousands IP in FW already, its count grows and currently blocks
about 40-60 % of connections, but still many new IPs appears and
that happens for about 2 years. I do not know if it is one or more
attackers (bothets), but i guess that more groups trying me.

By docs, the default smtp_accept_max is 20, i have set it higher
value already, but that doesn't matter, as i see that attacker has
many thousands IPs available. Thus i wonder, that it is able to reach
that limit if it will want anytime, just by opening many connections
and abandon them, thus effective run DDoS against MSA. I didn't
meet that DDoS yet, but i wonder about it -- is my wondering
real or am i too paranoid?

I cannot find way, how to follow mentioned "drop connection" from
Auth Policy daemon from authentificator, thus how to drop connection
on **some** login attempts. I do not know if that is even possible,
nor in exim, nor in dovecot. Please, is here way to drop these policy
blocked logins to prevent connection timeouts?

Please, wonder/meet that someone other too?

regards

--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Re: Dovecot pidgeonhole transport untaint $sender[exim] Re: Dovecot pidgeonhole transport untaint $sender->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)