Quoting Evert Smit
Hi List,
i am having a security issue sort of, and was wondering if you know any solutions to this. Someone is bombarding my server with mail, forcing sendmail to run the max allowed child processes and start to reject requests to send mail. what techniques could i use to filter the traffic to sendmail before it acctually hits the daemon, and therefor prevent the high load on it?
Hi, I have read 19 messages in this thread from which I understand: lobo@0-8-15.ch was forged by the attacker. at Fri, 1 Nov 2002 19:46:29 -0800, the attacker's host was: 200.170.149.113 ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br. (assuming the clock at leland3.Stanford.EDU is accurate) There is no evidence of your host being an open relay, just a victim of a mail bomb attack. Blocking 200.170.149.113 will have no effect as the attacker is not coming in directly. Blocking any other IP is futile as the attacker could use any mail server as a source and all you will achieve is potentially blocking valid mails. You should complain loudly but politely to the attacker's isp, abuse@ctbctelecom.net.br and/or security@ctbctelecom.net.br presenting a sample of the evidence ie logs and a few bounced messages. If a particular mail server is being heavily used to bounce messages to you, it may be worth advising the postmaster at that site of the abuse of his server. You can protect your server by dropping the load sendmail can place on the system. Reducing the value of "O RefuseLA=nn" will lower the threshold at which connections are refused. Setting "O ConnectionRateThrottle=nn" will limit the number of connections per second. You could achieve a similar rate limiting in iptables with: iptables -N THROTTLE iptables -A THROTTLE -p tcp --dport 25 -m limit --limit nn/sec --limit-burst mm -j ACCEPT iptables -I INPUT xx -p tcp --dport 25 -m state NEW -j THROTTLE (see iptables -m limit --help) Both these measures will reduce your mail throughput but its better than have the server keel over. HTH John