welcome to the world of…

Looks like a small bulb used to indicate something unusual, like a malfunction.

Postfix and DDoS

Filed under: Uncategorized — Tags: , , , — admin @ 2009-01-27 23:04

Last twelve days my SMTP servers were under a continual DDoS. Attack consisted of ~1300000 attempts to deliver a message to random mailboxes under a single domain. Attacks came from ~280000 unique IP addresses.

Purpose of this attack is unknown and I think it was a choice of random. The domain is absolutely insignificant and those IPs were already reported to blacklists. Strange thing but maybe somebody was just harassing the internet for fun. Great job of recruiting zombies anyway.

Problem was that this huge ammount of simultaneous connections saturated my maximum spawned SMTP proccesses so the server wasn’t able to serve more (legitimate) requests. Huge problem – customers are angry.

DDoS attacks are in general very hard to solve. In this case each IP was used to send only a few messages so simple firewall blocking was useless. I tried to introduce blacklist client checking. I added those lines to the Postfix conf:

smtpd_client_restrictions = reject_rbl_client cbl.abuseat.org,
                            reject_rbl_client pbl.spamhaus.org,
                            reject_rbl_client sbl.spamhaus.org,
                            permit

I found that this is useful only in a case when a single IP tries to send a message to multiple recipients in a short interval because it checks the IP against blacklists only once and then it is cached so every consequent matching is much faster than matching the recipient against existing mailboxes. Adverse effect is that each request to the blacklist makes the SMTP process a little bit longer. To speed it up I disabled reverse lookup of IP addresses:

smtpd_peername_lookup = no

Opened connections dropped below the maximum limit and I could sleep better then.

1 Comment

  1. Thanks you for your interesting infomation. Is very helpful.

    Regards.

    Comment by Michael Madison — 2012-04-14 @ 01:56

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.