mailing list archives
Re: ongoing DDoS...
From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Fri, 27 Jan 2006 10:35:01 +0530
On 1/27/06, Barry Shein <bzs () world std com> wrote:
Besides the obvious SMTP traffic this also generates a lot of DNS
traffic. At this point the DNS traffic seems to be more of a nuisance
probably because so many target hosts are retrying. At one point we
were doing around 10K pkts/second in DNS traffic, very unusual.
This has been going on for about a week.
At least some broken resolvers will keep re-querying you so see if you
cant throttle or rate limit dns queries from problem IPs for a while.
That, and increase TTLs a bit.
As for the smtp -
* Dont accept email for catchall aliases - try to reject all you can
at the gateway
* Bounces and backscatter - RFC violation or not, accepting bounces
takes a backseat to keeping your mail system up and running.
TEMPORARILY turn off accepting mail from:<>, especially if you're
seeing far, far more bounce traffic to nonexistent addresses on your
site than valid bounces.
Long term - see if you can't use http://www.mipassoc.org/batv/
especially if all your users send email through your smtp server from
outside (say using AUTH) or ssh in and use pine / elm or whatever on
your shell servers.
So where does one start. It seems a mother ship needs to be shut down
somewhere, etc. Obviously ID'ing a miscreant would be a nice result.
You sure its just one botnet hitting you? Shutting off a mothership
often means that the zombies become even more zombied and keep
pounding on your server long after the mothership is dead.
Suresh Ramasubramanian (ops.lists () gmail com)