I am getting hit with a distributed dictionay email attack

[EdRooney]

I am getting hit with a distributed dictionay email attack

I installed the anti-dictionary attack software but it just keeps coming from new IPs

# cat /etc/exim_deny | uniq | wc -l
1058

Its been running about an hour now and is still increasing.

What should I do?

Is it good to block that many ips? Will that slow down delivery of regular mail?

 

[sawbuck]

I installed the anti-dictionary attack software but it just keeps coming from new IPs

Meaning the one that Chirpy provides?

 

[chirpy]

That number should be fine. So long as you have installed the recommended hourly cron job it will rotate the IP addresses. You're likely to have a far greater load on your server if you didn't have the ACL in place.

 

[EdRooney]

Is that a lot? Have you seen more than 1000 ips blocked per hour before?

 

[chirpy]

Yes. I have a server that at one time was getting around 3000 attacks an hour. It was the reason I wrote the ACL in the first place.

 

[EdRooney]

Cool, how many does that server get now?

 

[damainman]

1. How did you know you was under this type of attack?
2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?

Thank you in advance for your replies.

 

[EdRooney]

1. How did you know you was under this type of attack?
>>I watched the exim main log

2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?
>>It depends, if they are dynamically generated, in a few months it is quite possible to have legimate people or quite possiably the entire internet blocked.

I am thinking of keeping them blocked for few days.

 

[chirpy]

My dictionary attack ACL unblocks the IP's within an hour (depending on how often you have thge file rotated via the cron job) since, as you say, they're mostly dynamic. It's highly unlikely that the IP addresses were spoofed, but that's neither here nor there.

I just checked and that server only gets the normal number now (10-20 an hour) so they've been seen off for now

 

[EdRooney]

I just checked and that server only gets the normal number now (10-20 an hour) so they've been seen off for now

You rule!!! Chirpy for president!

 

[sawbuck]

You rule!!! Chirpy for president!

Better nominate him for Prime Minister instead.

 

[dezignguy]

You really shouldn't be accepting mail from dynamic ips anyways... so I don't see that as a concern? Spoofed ips could be a problem though.

Or is the block rule added to iptables without specifiying a port (ie 25) so it would then block http as well?

 

[EdRooney]

How do I block spoofed IPs? I'm at over 15,000 and rapidly increasing

# cat exim_deny | wc -l
15437

 

[EdRooney]

How long does it take beofre the dictionary attackers realize they are blocked and move on to someone elses domain?

 

[haze]

Sometimes.. weeks.

The point of the dictionary attack is to limit the number of useless messages flowing to the inbox.. its up you you as an admin to deal with it as you see fit. They'll still hammer the server ( thats what they're trying to do ).

 

[dezignguy]

How do I block spoofed IPs? I'm at over 15,000 and rapidly increasing

# cat exim_deny | wc -l
15437

Actually, there are a couple settings you can do to help the OS recognize and reject packets from spoofed ips... you'll have to search this forum and possibly google to find them though.

I think putting

ALL: PARANOID

into /etc/hosts.deny is one way... but I'm not real positive on that, or exactly what that does, so look it up first.

 

[Radio_Head]

why you don't simply change the mx record of the domain name under attack with one of these ips ?

 

[chirpy]

Please be more careful - this is a 2 year old thread.