[exim] Re: smtp_accept_max & DDoS

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: [exim] Re: smtp_accept_max & DDoS
Am 12.05.23 um 17:23 schrieb Slavko via Exim-users:
> Dňa 12. mája 2023 14:36:23 UTC používateľ Jeremy Harris via Exim-users <exim-users@???> napísal:
>
>> Your short setting for smtp_receive_timeout is probably the best
>> way (despite violating standards).
> IMO that standars violating is not true, RFC 6409 allows shorting
> SMTP timeouts for MSA, it doesn't strictly defines them, only
> suggests 2-5 mins...
>
> Anyway, thanks for suggestions ;-)
>
> regards
>
>


It's easy to detect if someone if blocking your exim:

Loop over :

1. Getting all ID-Tripples

netstat -lnap | grep exim | grep <INSERT WORD CONNECTED IN YOUR SYSLANG
HERE>   | awk '{print $5":"$7;}' | sed -e "s/\/exim//g"


87.123.20.215:36858:1127858
87.123.20.215:36834:1127839
87.123.20.215:36844:1127849

You now have the identifing tripple, it's highly unlikely, next to
impossible to get the same tripple of ip:port:processid again.

2. Check them against a HASH with the tripple as key and a timestamp as
value

3. if tripple is not in hash , put in with now() as timestamp
    if tripple is in hash, check if timestamp is xxx seconds old, end
exim with "kill $pid" and "iptables -A smtpattacker -s $IP -j DROP"

4. if you find tripples in the hash, that are not in the actual set of
tripples from step 1 , remove them from hash.

5. Sleep 10s

End Loop

I suggest to choose your timeout for the kill wisely, as some servers
send a big chunk of data slow as hell, but a reasonable amount would be 30s.
In addition, the netstat output could give out, if any data is in the
connection buffer as an indicator that the host as send real data as an
indication for a valid connection attempt.


best regards,
Marius

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/