At 4:48 pm -0500 15/11/2007, David F. Skoll wrote:
Arnt Gulbrandsen wrote:
[...]
There was an excellent article in the magazine iX on the subject earlier
this year, illustrated with a number of depressing rrdtool/mrtg graphs.
Dreary reading. Very brief summary: 1. Spammers whose botnets span n
hundred thousand boxes can shovel more mail onto your MXes than they can
handle. 2. Sometimes they do. 3. When they do, that's no fun at all for
> the sysadmins on the receiving end.
Having been at the receiving end for more than a year now, it
definitely isn't fun. I've been seeing tens of thousands of bots a
day hit my server for quite a while now, although the volume of
connections from the bots has dropped off, and the volume of bots has
dropped to about 10,000/day. And this is quite a modest server that
just handles email for me, if spammers are throwing that much bot
traffic at me, I'd hate to think what they might throw at a larger
site.
Yeah, I know, but spammers can do that with or without content-filtering.
Sure, they'll overwhelm you a bit sooner if you use content-filtering
than if you don't, but that's about it.
I've found graylisting combined with connection prioritization to be
quite effective at minimizing the impact of DDoS attacks from
bot-nets. Graylisting gives me the following benefits that I find to
be useful against DDoS attacks:
* Transactions from new hosts are kept very short.
* My server gets to look at the HELO or EHLO name and MAIL FROM and
RCPT TO addresses, and reject many hosts based on those.
* My server doesn't hand out any information on validity of RCPT TO
addresses to hosts that are graylisted.
Connection prioritization helps keep mail flowing from hosts that
aren't being graylisted. My MTA has two thresholds for how many SMTP
connections are remaining, when the first one is exceeded connections
from new hosts or hosts that are still graylisted are not accepted.
When the second one is exceeded connections are only accepted from
hosts that have been whitelisted.
The minor delays due to graylisting are far outweighed by it's useful
anti-DDoS features. Anti-spam solutions that want to replace
graylisting are of no interest to me if they can't replace that
functionality.
Glenn.