smtp server under attack inetd/xinetd fails

[Artur]

lately we are being attacked in a new sort of DDoS. Thousands of computers/bots are trying to make concurrent connections to our smtp port and inetd fails with a message like this:

(on freebsd server)
inetd[43138]: accept (for smtp): Software caused connection abort

It seems to be a dictionary attack which is going through the dictionary @domain.com So I'm watching RCPT TO headers being sent to this domain and inserting the ip addresses into the firewall.

Right now i have a list of 5800 ip addresses and growing.

This happens on several servers (linux and freebsd) over the past few weeks so i am getting fed up with dealing with this issue since it takes so long to clean up.

Anyone with similar experience?

 

[Artur]

24400 rules in firewall...

 

[madcat]

Yup

Seeing allot of:

inetd[40731]: accept (for smtp): Software caused connection abort

in /var/log/messages , and have to restart inetd . I've been trying different values in /etc/inetd.conf for the values after "nowait"

smtp stream tcp nowait/250/500/100 root /usr/local/psa/qmail/bin/tcp-env tcp-env /usr/local/bin/spamdyke -f /etc/spamdyke/spamdyke.conf /usr/local/psa/qmail /bin/relaylock /usr/local/psa/qmail/bin/qmail-smtpd /usr/local/psa/qmail/bin/smtp_auth /usr/local/psa/qmail/bin/true /usr/local/psa/qmail/bin/cmd5checkpw /usr/local/psa/qmail/bin/true

smtps stream tcp nowait/250/500/100 root /usr/local/psa/qmail/bin/tcp-env tcp-env /usr/local/bin/spamdyke -f /etc/spamdyke/spamdyke.conf /usr/local/psa/qmail/bin/relaylock /usr/local/psa/qmail/bin/qmail-smtpd /usr/local/psa/qmail/bin/smtp_auth /usr/local/psa/qmail/bin/true /usr/local/psa/qmail/bin/cmd5checkpw /usr/local/psa/qmail/bin/true

Not sure if 250/500/100 is too generous or too little? See http://kb.odin.com/article_22_1470_en.html for more info, or type 'man inetd'.

You also might want to check out installing Spamdyke, which is helping deflect this kind of garbage before it bothers qmail with it. www.spamdyke.org

Were you able to solve this issue, Artur?

 

[Artur]

this turned out to be not an attack, but an incredible amount of spam. I'm talking about megabytes of spam per minute to one domain. The one server could definitely not cope with this kind of volume.

We ended up setting up this domain on google mail site apps. As soon as the MX records were pointed away from our servers, the problem resolved itself. Google is good about scaling with the demand.

 

[atomicturtle]

You can also set xinetd to throttle connections, the default is that UNLIMITED line. You could just set that to 10 or something. In Project Gamera (which is qmail, but with tcpserver instead of xinetd) we've also got throttling for things like max ips per net block, and load based throttling.

Anyway, this whole thread gave me an idea for SMTP flood detection in ASL, using something like the above and a firewall tarpitting trick. Btw, 24k rules is perfectly OK on a linux box, I run mine with easily 40k on average, and Ive gone considerably higher.