Re: [Asrg] 0. General

At 1:11 AM -0400 2003/10/22, Kee Hinckley wrote:

                                                  When faced with the
 fact that some servers return 5xx errors on account full, he decided
 to ignore all 5xx errors.  That's right.  He just completely ignores
 them.  But the real killer is that if you give him a 5xx at connect
 time and then close the connection, his software thinks it got a
 network error and immediately retries the connection... a lot...
 frequently.  I was getting slammed with half a million connection
 attempts in the period of a few hours.  Repeated every 12 to 24
 hours.  Despite the fact that we'd immediately close them, it was
 saturating a 768kbs DSL line.

Simple to solve. Tar-pit him. Make sure that you always takethe full five minutes to respond to each command, and slow him downto the full limits of the protocol. Also make sure that you don'tgive him a 5xx response on connect, wait for the "RCPT TO" before youdo that, to help slow him down even more. If he tries to connect toyou multiple times in parallel, tar-pit all connections from him.

No matter what he does, he'll only be able to talk to you veryslowly, and he'll probably remove you from his lists because hedoesn't like having his server tied up.



        Postfix does this easily.

 61,000 machines engaged in a coordinated spam attack on a single machine.

That's a much tougher problem to solve. Greylisting plustar-pitting (by sender domain) would be a start, but you'd still havevery large numbers of simultaneous connection attempts to deal with.


--
Brad Knowles, <brad(_dot_)knowles(_at_)skynet(_dot_)be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
    -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Asrg] 0. General, (continued) Re: [Asrg] 0. General, Richard Rognlie Re: [Asrg] 0. General, Markus Stumpf Re: [Asrg] 0. General, Brad Knowles Re: [Asrg] 0. General, David Maxwell Message not available Re: [Asrg] 0. General, David Maxwell Message not available Re: [Asrg] 0. General, David Maxwell Re: [Asrg] 0. General, Brad Knowles Re: [Asrg] 0. General, David Maxwell Re: [Asrg] 0. General, Alan DeKok Re: [Asrg] 0. General, Kee Hinckley Re: [Asrg] 0. General, Brad Knowles <= Re: [Asrg] 0. General, Markus Stumpf Re: [Asrg] 0. General, Kee Hinckley Message not available Re: [Asrg] 0. General, Kee Hinckley Re: [Asrg] 0. General, Walter Dnes FW: [Asrg] 0. General, Denny Figuerres Re: FW: [Asrg] 0. General, Brad Knowles Re: FW: [Asrg] 0. General, Justin Mason Re: FW: [Asrg] 0. General, David Maxwell Re: FW: [Asrg] 0. General, Justin Mason Message not available Re: FW: [Asrg] 0. General, David Maxwell