On 6/14/2013 11:19 AM, Viktor Dukhovni wrote: > On Fri, Jun 14, 2013 at 06:00:37PM +0200, Simon B wrote: > >> On 14 June 2013 17:44, c cc <sub...@gmail.com> wrote: >>> >>> Hi, >>> >>> For the last few days, I noticed that our postfix server had crawl to a halt >>> due to some kind of email attack. As you can see below, there were a lot of >>> smtp connections. I was wondering if there is a way to stop this from >>> Postfix? Thanks! >>> >>> /etc/postfix $netstat -plan | grep ':25' | grep ESTAB >>> tcp 0 0 xx.xx.xx.xx:25 181.66.192.196:11798 ESTABLISHED >>> 17329/smtpd >>> tcp 0 0 xx.xx.xx.xx:25 77.42.140.151:54112 ESTABLISHED - >>> tcp 0 0 xx.xx.xx.xx:25 109.166.128.3:36208 ESTABLISHED - >>> tcp 0 0 xx.xx.xx.xx:25 186.46.0.66:16698 ESTABLISHED >> >> Presumably they are connecting more than once? Fail2ban? > > Looks more like a botnet, so the connections may not in fact recur.
Quite right, it is a botnet attack. And without further logging, I'd guess this is a DOS attack on TCP 25. The clients are probably not even attempting delivery, but simply tying up TCP sockets. > I would consider disabling reverse DNS resolution under stress. > Anything that reduces latency in the SMTP server. Also make sure > recipient lookups are fast (SAV and RAV may lead to concurrency > spikes, try to have static sources of recipient information). > > Also raise the number of smtpd(8) processes. The postscreen(8) > feature may help, but this is best with Postfix 2.10.0 or so. This is a scenario purpose built for postscreen, is it not? In lieu of postscreen, and in addition to Viktor's other suggestions, two simple restrictions may have greatly reduced the impact of this attack: 1. reject_unknown_reverse_client_hostname 2. http://www.hardwarefreak.com/fqrdns.pcre fqrdns.pcre is missing some of the rDNS patterns of those IPs, but contains many of them. I'll be adding the others in the near future. -- Stan
