In ASSP we have the ability to "limit number of sessions": "The maximum number of SMTP sessions (connections) to handle per IP address concurrently. Limit this to prevent DOS attacks"
What I think would be useful is a way to limit the number of connections per minute. I have in the past, and today, had to manually add IP's to my denysmtp file to get them to stop overloading my server with as much as 7 connects and disconnects per SECOND. They were initially delayed, then embargoed twice then went on a connect and disconnect rampage. I noticed it in the log all of a sudden as I was looking at some other issues and killed that IP. I don't think this is an attack, but somehow a server gone wild as the offending IP 65.197.94.141 belongs to "Eunice Public Schools" and the event is still happening and will show up again when I remove them from denysmtp. If we had a way to limit connections per minute for a particular IP it would definately help to protect against DOS attacks and keep us from having to react to these kinds of issues as I figure their site admin will eventually make the problem go away. Right now it doesn't seem that ASSP will protect against a malicious script that just connects and reconnects although it would take a few running at the same time to cause a real problem as this one instance only caused my server load to increase ~20% from 5% to 25% average. No hard numbers, this was just from me knowing my server, watching the task manager cpu load indicator during the evernt and the mail log to be sure mail was flowing and not just stuck on one large email. Granted on faster system this might have a lot less impact. Since this would be aimed at these kind of rapidfire connections, IP's that trigger the security should be denied smtp connections for a short period of time, say 5 minutes. Maybe a "connections per second" would be a better setting as ASSP would have to keep track of less IP's/#of connections. Why would any valid SMTP server have to connect more than once every few seconds even if it was very busy sending mail to me? Would it reuse an existing connection? Doug Traylor Log snippet: Nov-6-06 09:10:30 Connected: 65.197.94.141:52912 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:30 65.197.94.141 <> is disconnected Nov-6-06 09:10:30 Connected: 65.197.94.141:52914 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:30 65.197.94.141 <> is disconnected Nov-6-06 09:10:30 Connected: 65.197.94.141:52916 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:30 65.197.94.141 <> is disconnected Nov-6-06 09:10:30 Connected: 65.197.94.141:52920 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:30 65.197.94.141 <> is disconnected Nov-6-06 09:10:30 Connected: 65.197.94.141:52922 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:30 65.197.94.141 <> is disconnected Nov-6-06 09:10:30 Connected: 65.197.94.141:52924 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:30 65.197.94.141 <> is disconnected Nov-6-06 09:10:30 Connected: 65.197.94.141:52926 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:31 65.197.94.141 <> is disconnected Nov-6-06 09:10:31 Connected: 65.197.94.141:52928 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:31 65.197.94.141 <> is disconnected Nov-6-06 09:10:31 Connected: 65.197.94.141:52930 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:31 65.197.94.141 <> is disconnected Nov-6-06 09:10:31 Connected: 65.197.94.141:52932 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:31 65.197.94.141 <> is disconnected Nov-6-06 09:10:31 Connected: 65.197.94.141:52936 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:31 65.197.94.141 <> is disconnected Nov-6-06 09:10:31 Connected: 65.197.94.141:52938 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:31 65.197.94.141 <> is disconnected Nov-6-06 09:10:31 Connected: 65.197.94.141:52940 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:31 65.197.94.141 <> is disconnected Nov-6-06 09:10:32 Connected: 65.197.94.141:52942 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:32 65.197.94.141 <> is disconnected Nov-6-06 09:10:34 Connected: 65.197.94.141:52944 -> 10.0.0.3:25 -> 10.0.3.2:26 Nov-6-06 09:10:34 65.197.94.141 <> is disconnected Nov-6-06 09:10:34 Connection from 65.197.94.141:52946 rejected by denySMTPConnectionsFrom ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
