Re: DDOS attack

"grpprod" <grpprod@xxxxxxxxx> wrote in message
news:j3korp$mdq$1@xxxxxxxxxxxxxxxx
Thanks for the detailed reply.
define(`confCONNECTION_RATE_THROTTLE', `30')dnl

What value would you recommend for this? In fact, I seem to confuse this
setting with the clientrate setting. What is the actual difference?

One second is too short to hamper spammers. Try at least 5000-7500, and
adjust the above timeouts to compensate. Some of your other timeouts
may
be too small as compared to RFC suggestions, unless you don't mind
retries
over congested network paths. Try 20s instead of 5s.

Are you referring to the greeting pause to be longer than 5s?

Yes, but I'm also talking about the other timeout values you set to 5
seconds.

Too high. In a 30 minute window, a typical RFC-abiding client will
retry 3
times (i.e. every 10 minutes), so set to 3.

Wouldn't this result in a legitimate server not being able to send more
than
3 emails to us in 30 minutes?

No, because servers can send more than one message per connection.
It means that they cannot connect more than 3 times in 30 minutes.

I have clientrate < clientconn (actually clientrate = clientconn +1) so
I
can return a 421 error and tell them to go away nicely. However, I use
a 9
minute rate window.

Is it wise to use a smaller window or it is just a personal preference?

I was wrong. I'm using a 4m window now because some non-spam systems were
retrying every 5 minutes.

Rejecting with TCP RST may be better here. Also, you seem to limit SMTP
transactions to 10 TCP packets with this.
1) Connections accepted by "NEW" rule (TCP SYN).
2) TCP ACK to connection and possibly "HELO"
3) "MAIL FROM"
4) "RCPT TO" (first, if multiple)
[usually one per packet due to replies]
5+) "DATA"
6+) Message (63.9k plus terminating "." max. size)
7++) "QUIT"
8++) TCP FIN+ACK

I kind of lost you here. I am not sure how to reject with TCP RST. Also,
I

You're using IPtables and don't know how to reject with an RST? Look it
up.

had the impression that 'hitcount' refers to the number of connections,
not
packets (at least it works like this for my SSH - hitcount 2,seconds 60
does
not allow more than two SSH connections per minute).

Only if it triggered on SYN packets. However, with your ruleset, it
triggers on EVERY packet.

In general, I use the following rules to control number of connections
for a
specific IP in a specific port. Seemed to work so far (not sure if it
blocked legit packets, but gave the desired result). Please be kind
enough
to clarify once more why I have to change the order (or any other
change).

Because it kills SMTP connections which take longer than 10 packets
including setup and teardown.

<OPTIONAL> $IPTABLES -i $IF_PRI -A INPUT -p tcp -s <IP_WITH_NO_LIMIT> -j
ACCEPT --dport <port> -m state --state NEW
$IPTABLES -i $IF_PRI -A INPUT -p tcp --dport <port> -m
recent --update --seconds <interval> --hitcount <connections> -j DROP
$IPTABLES -i $IF_PRI -A INPUT -p tcp --dport <port> -m state --state
NEW -m
recent --set -j ACCEPT
$IPTABLES -i $IF_PRI -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

Not certain if this will be reached. You have already filtered out new,
established, and related, so that leaves untraced and invalid.
$IPTABLES -i $IF_PRI -A SMTPFLOOD -p tcp -m limit --
limit 5/s --limit-burst 1 -j LOG --log-prefix "SMTPFLOOD: "
$IPTABLES -i $IF_PRI -A SMTPFLOOD -p tcp -m limit --
limit 5/s --limit-burst 1 -j ACCEPT

So, shouldn't we also limit the OVERALL number of SMTP connections? If
so,
how can we do that?

You've already done that with ClientConn and ClientRate. The only reason
to do it with IPtables is if those rates in the MTA are being frequently
exceeded to the point where it's better to start dropping, rejecting, or
tarpitting connections at the firewall.


.

Relevant Pages

  • Re: ipfw question
    ... # Pass and log all incoming ftp-data connections. ... ipfw add allow log tcp from any 20 to any in setup keep-state ... This way only the packets related to one of the states will pass ...
    (freebsd-questions)
  • Re: DDOS attack
    ... I seem to confuse this setting with the clientrate setting. ... Connections accepted by "NEW" rule (TCP SYN). ... Seemed to work so far (not sure if it blocked legit packets, ...
    (comp.mail.sendmail)
  • Re: PF slowing down file copies
    ... > For keeping state on TCP connections you should only create state on ... This will prevent problems with TCP windows scaling.. ... pf does know about window scaling and supports it. ... associate the first two packets of the handshake with the state entry. ...
    (freebsd-questions)
  • Re: Problems with FreeBSD
    ... With the -C option work fine! ... When my connections freeze, I open the tcpdump in other terminal. ... Can you try capturing the connection setup packets, ... the TCP MSS negotiation values? ...
    (freebsd-questions)
  • Re: Panic @r207433: "System call fork returning with the following locks held"
    ... panic: sleeping thread ... data packets ... connections established ... hdac0: attempting to allocate 1 MSI vectors ...
    (freebsd-current)