Protect sendmail from DoS

Mon Nov 7 20:58:14 UTC 2005

I have 3 huge servers 4 cpus each....(Dell 2850 ~ 4 gig of ram, Dell
6850 ~ 12 gig of ram Dell 2650 ~ 4 gig of ram) dedicated to incoming
mail.

During a really severe spam & bounce attack, The lowest MX (2850) gets
overloaded so the next MX (6850) takes the load, then that gets
overloaded and the final box (2650) gets almost overloaded.....So so far
in 18 months I have kept on line but only just........the last server
had a Load of 4~6....the other 2, 25+......

These attacks are dictionary attacks usually coming from multiple
sources, they load up our 20Mbit/sec pipe for 5 ~ 20 minutes then
disappear....sometimes we have no attacks for days, other times we get
4+ an hour....

Then we have the constant pounding of relay attacks....DNS attacks....I
had to separate those and outgoing mail out onto 3 new Dell 1850s....

I have 3 different anti-virus products to try and stop phishing and
virus attacks....

Normal email traffic I reckon I could run off a Pentium Pro 200 with 64
meg of ram.....

So the spammers have cost us in excess of $80kNZ on servers just to keep
online.....

That does not include the biggest Fortinet multiblade firewall we could
buy.....

Regards

Thing

-----Original Message-----
From: Ed Wilts [mailto:ewilts at ewilts.org] 
Sent: Tuesday, 8 November 2005 9:22 a.m.
To: General Red Hat Linux discussion list
Subject: Re: Protect sendmail from DoS

On Tue, Nov 01, 2005 at 08:08:13PM -0500, Devon Harding wrote:
> Is there some way of using something like IPTABLES to block if it sees
a
> certain amount of connections from a particualar IP? I know
Ciphertrust
> Ironmail does this.

The one you can't easily protect yourself from happens if somebody does
a wide-area spam using one of your domain names.  The bounces come back
from a large amount of perfectly legitimate servers that you can't (and
shouldn't) block.  Those bouncers were victims of the spams, as are you.

I've seen tens of thousands of bounce messages come in a very short
period of time, taking out both of my mail servers.  It wasn't a pretty
sight to deal with at 1am.

As somebody else said, if somebody wants you dead, you'll be dead unless
you have deep pockets to protect yourself from this.

        .../Ed

> 
> On 11/1/05, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
> >
> > Sendmail has some protection in terms of load limiting, these are a
bit
> > high so you can set them lower so the server recovers sooner. This
will
> > save your server but in effect it allows DoS sooner.
> >
> > Possibly you do not understand what a DoS is. DoS is a function of
your
> > attacker overloading your network or server's capacity to handle
network
> > traffic sent at it.
> >
> > These days unless you are a big organisation with huge pipes, big
> > multiple servers and deep pockets, and someone wants you dead, your
> > dead.
> >
> > If someone wants to take your server out they can, it is simply a
matter
> > of logistics, they control 30 or 300 or 3000 or 30000 spam drones of
> > hacked broadband connections and the volume these generate is
amazing.
> >
> > I was Dos'd a while back, I was sent 5+gig of volume in 2~3 minutes,
my
> > 512k cable modem could not cope so in effect the DoS happened at the
> > ISP's end of my pipe, totally outside of my control.
> >
> > Modern machines, even desktop ones should be able to handle a lot of
> > mail, if you are having issues with DoS's then maybe it is something
> > else.
> >
> > Regards
> >
> > Thing
> >
> >
> >
> > -----Original Message-----
> > From: Devon Harding [mailto:devonharding at gmail.com]
> > Sent: Wednesday, 2 November 2005 10:43 a.m.
> > To: General Red Hat Linux discussion list
> > Subject: Protect sendmail from DoS
> >
> > How can I protect my sendmail server against DoS attacks?

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list