Re: [exim] DDOS on SMTP port by large number of new connections from random IPs

Thu, 30 Oct 2014 07:52:39 -0700 

Hi Anoop,

On 28/10/2014 03:29, Anoop John wrote:

Thanks Marius, Scott Neader, Wolfgang Breyha, Xander Harkness for looking
into this and sending your recommendations and suggestions. We implemented
both suggestions.

We set smtp_accept_max_per_host to 4. We also set up PTR record check on
incoming connections. For those that do not have reverse DNS set up the
connection to port 25 is being established first before the reverse DNS
check is used and the connection closed so there are still connections
getting established from IPs without reverse DNS set up.

We have increased the maximum number of simultaneous connections to 200 and
with the PTR check in place this has now opened up more connections for
valid mail servers and we are now able to get incoming mails to the server.

The attack is still going on though. In 5 hours so far today there has been
more than 620,000 connection requests from 7200+ different IPs.

The server does not seem to have the required kernel modules to enable
tarpitting and the server support has communicated that protecting against
DDOS is not within their capability levels and that I should explore
commercial DDOS protection mechanisms. I explored a bit but found most to
be very expensive compared to the hosting plan.

Not sure how to take things forward from here. Thanks once again for your
suggestions.
I use ConfigServer Firewall (CSF) in conjunction with Exim and a couple of ACLs. It works a treat and has really cut down on the number of connections from those "no reverse DNS" IPs by about 75%. YMMV 
http://www.configserver.com/cp/csf.html
CSF can use blocklists, like Spamhaus DROP and EDROP, right out of the box. It also has per IP and per port connection flooding detection and mitigation to help block DOS attacks.
CSF's daemon is LFD which can monitor logs for certain patterns and initiates blocks if those patterns are found. I've written some custom regexes to match my ACL's log message and LFD will initiate a temporary block on those.
If you have any questions about CSF, please feel free to contact me off list. I'm no expert, but I may be able to point you in the right direction with CSF. 

--
Terry

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to