Re: [Asrg] 0. General

On Thu, Oct 23, 2003 at 01:49:45AM +0700, Brad Knowles wrote:

      Simple to solve.  Tar-pit him.  Make sure that you always take 
the full five minutes to respond to each command, and slow him down 
to the full limits of the protocol.  Also make sure that you don't 
give him a 5xx response on connect, wait for the "RCPT TO" before you 
do that, to help slow him down even more.  If he tries to connect to 
you multiple times in parallel, tar-pit all connections from him.


We have some busy mailservers running a connenction limit of 250 parallel
connections at all.
While I have noticed I have no problems with 50 connections in tarpit from
different hosts (some from the same) you can easily run in a homegrown
DoS if the number of concurrent tarpitted connections becomes too high.

I have written a wrapper (which is far from being in a state for a
release) that connects to a (central) server and sends "CONNECT <ip>".
The server has rules like
    - connections per timeframe  (both freely configurable)
    - max concurrent connections
it checks the IP against the ruleset for that IP and either sends "OK"
or "REJECT <reason>". The wrapper forks()s the smtpd in case of an "OK"
and waits for termination to send a "DISCONNECT <ip>" to the server.
In case of a "REJECT" it sends a "4xy reason" and drops the connection.
The client/server architecture makes it possible to group mailservers
to a cluster and enforce the policies for the cluster.

For a quick and dirty solution to overzealous senders I find it useful
to (in Unix environments) add a route like
    route add <attacker_ip> 127.0.0.1
One doesn't have a firewall kernel on each machine and that way one
doesn't have to mess with the firewall config at all.

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Asrg] 0. General, (continued) Re: [Asrg] 0. General, Markus Stumpf Re: [Asrg] 0. General, Brad Knowles Re: [Asrg] 0. General, David Maxwell Message not available Re: [Asrg] 0. General, David Maxwell Message not available Re: [Asrg] 0. General, David Maxwell Re: [Asrg] 0. General, Brad Knowles Re: [Asrg] 0. General, David Maxwell Re: [Asrg] 0. General, Alan DeKok Re: [Asrg] 0. General, Kee Hinckley Re: [Asrg] 0. General, Brad Knowles Re: [Asrg] 0. General, Markus Stumpf <= Re: [Asrg] 0. General, Kee Hinckley Message not available Re: [Asrg] 0. General, Kee Hinckley Re: [Asrg] 0. General, Walter Dnes FW: [Asrg] 0. General, Denny Figuerres Re: FW: [Asrg] 0. General, Brad Knowles Re: FW: [Asrg] 0. General, Justin Mason Re: FW: [Asrg] 0. General, David Maxwell Re: FW: [Asrg] 0. General, Justin Mason Message not available Re: FW: [Asrg] 0. General, David Maxwell Message not available 3. Requirements - Anonimity (was Re: FW: [Asrg] 0. General), Yakov Shafranovich