[Top] [All Lists]

Re: DoS attacks (was Re: SMTP Transferred-By-Reference)

2007-11-15 16:28:52

At 4:48 pm -0500 15/11/2007, David F. Skoll wrote:
Arnt Gulbrandsen wrote:


 There was an excellent article in the magazine iX on the subject earlier
 this year, illustrated with a number of depressing rrdtool/mrtg graphs.
 Dreary reading. Very brief summary: 1. Spammers whose botnets span n
 hundred thousand boxes can shovel more mail onto your MXes than they can
 handle. 2. Sometimes they do. 3. When they do, that's no fun at all for
 > the sysadmins on the receiving end.

Having been at the receiving end for more than a year now, it definitely isn't fun. I've been seeing tens of thousands of bots a day hit my server for quite a while now, although the volume of connections from the bots has dropped off, and the volume of bots has dropped to about 10,000/day. And this is quite a modest server that just handles email for me, if spammers are throwing that much bot traffic at me, I'd hate to think what they might throw at a larger site.

Yeah, I know, but spammers can do that with or without content-filtering.
Sure, they'll overwhelm you a bit sooner if you use content-filtering
than if you don't, but that's about it.

I've found graylisting combined with connection prioritization to be quite effective at minimizing the impact of DDoS attacks from bot-nets. Graylisting gives me the following benefits that I find to be useful against DDoS attacks:
* Transactions from new hosts are kept very short.
* My server gets to look at the HELO or EHLO name and MAIL FROM and RCPT TO addresses, and reject many hosts based on those. * My server doesn't hand out any information on validity of RCPT TO addresses to hosts that are graylisted.

Connection prioritization helps keep mail flowing from hosts that aren't being graylisted. My MTA has two thresholds for how many SMTP connections are remaining, when the first one is exceeded connections from new hosts or hosts that are still graylisted are not accepted. When the second one is exceeded connections are only accepted from hosts that have been whitelisted.

The minor delays due to graylisting are far outweighed by it's useful anti-DDoS features. Anti-spam solutions that want to replace graylisting are of no interest to me if they can't replace that functionality.