DoS update: Its over, and I have some nice new tools to help stop them

Basically someone decided to fire off many emails to us. Their effort was from some team of bots (ToB), and came largely from the .ru domain.

I wrote some quick and dirty tools to scan our logs, and generate a hash table of IP addresses, and plugged this into a smtpd client filter. So after the first few failed emails, we have the bot’s signature. And we can reject future emails from them, even for a short period of time.

A little Perl, a quick configuration change, and whammo. DoS fell off after about 1 hour. This is a little better than the DNS attacks on the DoS I had found previously … basically redirecting mail to a different machine. The latter also loses legitimate mail, but it collapses the ToB darned fast. The former catches repeat offenders.

Viewed 6348 times by 1117 viewers