Exim system getting DDOSed, need some quick advice.

[jols]

Hi folks,

I should know this but I don't

For the past few days, our email system has received a very bad DDOS attack. At this point we are quite desperate.

It's just a simple question, all I need is advice simple advice it would seem. Thanks very much.

---------------
Regarding exim_mainlog entries like this:

2012-08-31 15:54:18 SMTP connection from [64.132.92.169]:36391 (TCP/IP connection count = 144)
2012-08-31 15:54:19 SMTP connection from [65.25.104.113]:55800 (TCP/IP connection count = 145)
2012-08-31 15:54:19 SMTP connection from [216.27.86.177]:36975 (TCP/IP connection count = 146)
2012-08-31 15:54:19 SMTP connection from [173.231.139.1]:45551 (TCP/IP connection count = 147)

Obviously we have inbound connections to the email system on high number ports, e.g. 36391, 55800, 36975 and so on. But I have configured our CSF firewall NOT to open any such ports. So how are they even able to perform SMTP connections on such ports?

Seems to me that legitimate traffic would use port 25 to send email, and 110 to receive, and the IMAP port 143 (disregarding the secure email ports for the sake of discussion).

So, is there any way of blocking, or switching off these high number port connects to SMTP while allowing regular legitimate connections to the email system?

 

[jols]

I'm trying to figure out how to implement the following in exim.conf, but so far it does not seem to do any good:

smtp_accept_max_per_host = 3

 

[cPanelTristan]

Are you able to connect on those ports from a remote system? If not, I don't know how to answer the question, since it seems unlikely they could be connecting on such ports if you cannot.

Depending on what state they are when trying the connection, it might not ever make it to the state of being rejected by exim. Some connection states never try a full connection but purposely try to just cause a denial of service in a SYN_RECV state. In such instances, the best way to handle these would be with your datacenter, NOC or provider to filter them at the network level.

 

[jols]

The odd thing is, when this was occuring the number of active exim processes that I could see in ps -ef | grep exim where literally through the roof. So apparently THEY were able to connect.

 

[ruzbehraja]

I'm trying to figure out how to implement the following in exim.conf, but so far it does not seem to do any good:

smtp_accept_max_per_host = 3

WHM >> Service Configuration >> Exim Configuration Manager >> Advanced Editor

If this option is not already there you need to click "Add additional configuration setting" button.

Put the values in their respective boxes.

You can set:

• smtp_accept_max_per_host = 3
• smtp_accept_max = 20

This should do the trick.

 

[jols]

Thanks much for the reply.

Indeed I tried exactly what you suggested, but it did not take/work. Exim continued to be pounded. The number of connects from remote hosts stayed in the 70 to 90 range for quite a long time, i.e. 48 hours or so, after I tried this.

 

[ruzbehraja]

Did this get resolved?