From owner-freebsd-net Sat Sep 8 7:10: 6 2001 Delivered-To: freebsd-net@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id D5BA137B407 for ; Sat, 8 Sep 2001 07:10:01 -0700 (PDT) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 7BB6E16B13 for ; Sat, 8 Sep 2001 16:09:59 +0200 (CEST) Received: from IBM-HIRXKN66F0W.Go2France.com [66.64.14.18] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id A9318FC00058; Sat, 08 Sep 2001 16:20:33 +0200 Message-Id: <5.1.0.14.0.20010908090440.06337828@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 08 Sep 2001 09:09:42 -0500 To: Freebsd-net@freebsd.org From: Len Conrad Subject: tracing an attack using spoofed ip´s Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A client has been receiving an attack on this mail gateway´s port 25 for 3 weeks. We increased the postfix SMTPD processes from 50 to 150, and the hourly msg rejects jumped from 5000 to 15000, roughly. The source addresses used by the attacker(s) are mostly in the various RBL bases, 100´s of them. The pb is that the attack is consuming so many SMTPD processes that valid incoming mail is taking several hours to arrive, as the sender MTA can´t get an answer when it connects to port 25. the definition of DoS. Is there anyway to trace the real source of the spoofed packets? Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message