I am getting hit with a distributed dictionay email attack

Status
Not open for further replies.

EdRooney

BANNED
Oct 21, 2004
166
0
166
I am getting hit with a distributed dictionay email attack

I installed the anti-dictionary attack software but it just keeps coming from new IPs

# cat /etc/exim_deny | uniq | wc -l
1058

Its been running about an hour now and is still increasing.

What should I do?

Is it good to block that many ips? Will that slow down delivery of regular mail?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
That number should be fine. So long as you have installed the recommended hourly cron job it will rotate the IP addresses. You're likely to have a far greater load on your server if you didn't have the ACL in place.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
Yes. I have a server that at one time was getting around 3000 attacks an hour. It was the reason I wrote the ACL in the first place.
 

damainman

Well-Known Member
Nov 13, 2003
515
0
166
1. How did you know you was under this type of attack?
2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?

Thank you in advance for your replies.
 

EdRooney

BANNED
Oct 21, 2004
166
0
166
1. How did you know you was under this type of attack?
>>I watched the exim main log

2. Considering so many IP's are being blocked, would it be a good idea to unblock the ips in a few months or so considering some of those ip's may have been dynamic or spoofed?
>>It depends, if they are dynamically generated, in a few months it is quite possible to have legimate people or quite possiably the entire internet blocked.

I am thinking of keeping them blocked for few days.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
My dictionary attack ACL unblocks the IP's within an hour (depending on how often you have thge file rotated via the cron job) since, as you say, they're mostly dynamic. It's highly unlikely that the IP addresses were spoofed, but that's neither here nor there.

I just checked and that server only gets the normal number now (10-20 an hour) so they've been seen off for now ;)
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
You really shouldn't be accepting mail from dynamic ips anyways... so I don't see that as a concern? Spoofed ips could be a problem though.

Or is the block rule added to iptables without specifiying a port (ie 25) so it would then block http as well?
 

EdRooney

BANNED
Oct 21, 2004
166
0
166
How do I block spoofed IPs? I'm at over 15,000 and rapidly increasing

# cat exim_deny | wc -l
15437
 

EdRooney

BANNED
Oct 21, 2004
166
0
166
How long does it take beofre the dictionary attackers realize they are blocked and move on to someone elses domain?
 

haze

Well-Known Member
Dec 21, 2001
1,550
3
318
Sometimes.. weeks.

The point of the dictionary attack is to limit the number of useless messages flowing to the inbox.. its up you you as an admin to deal with it as you see fit. They'll still hammer the server ( thats what they're trying to do ).
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
EdRooney said:
How do I block spoofed IPs? I'm at over 15,000 and rapidly increasing

# cat exim_deny | wc -l
15437
Actually, there are a couple settings you can do to help the OS recognize and reject packets from spoofed ips... you'll have to search this forum and possibly google to find them though.

I think putting

ALL: PARANOID

into /etc/hosts.deny is one way... but I'm not real positive on that, or exactly what that does, so look it up first.
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
why you don't simply change the mx record of the domain name under attack with one of these ips ?
 
Status
Not open for further replies.