postfix being DDoS’ed

Last night i had a pleasure of seeing nagios scream about one of my mail servers load.

When i ssh’ed to the box the load was at 104, ouch. A quick tail -f /var/log/messages showed me the problem – i’m being DDoS’ed. My screen couldn’t handle all that output – ~500 connections /s, which makes it two-three times more log lines in the maillog ;(

So, what to do now?

Postfix has a great service called anvil. anvil tracks connectivity statistics like how much times did this IP connect to your SMTP server, how much mails did it send, how much recipients did it supply and how much TLS (SSL) sessions did it start. Also, you can limit theese params.

In example, setting smtpd_client_message_rate_limit to 10 limits the messages an server can send to you to 10 per minute ( time unit can be changed ).

So, i quickly set smtpd_client_connection_rate_limit to 50, this limits 50 connections per minute from one host. When a servers goes over this limit, postfix doesn’t accept the connection and makes a log entry about it. I.e.:

Jul 9 22:28:26 server postfix/smtpd[13310]: warning: Connection rate limit exceeded: 107 from unknown[88.245.165.205] for service smtp

After a few seconds i could already see this kind of entries in my log.

Now, that still makes my postfix do some work and although the load dropped drastically, it still had to do some work.

So, dropping the connections from those IP’s on the firewall is the best way ( better would be doing it on the core router ).

A quick one-liner does it well:

tail -f /var/log/maillog | perl -ne ‘if (/rate limit exceeded: \d+ from .*\[(.*)\] for service/) {system(sprintf(“your_firewall_add_block_cmd %s\n”,$1));}’

Hooray, a few minutes later load decreased to the usual one.

Overall it took ~10 minutes to stop the DDoS, although it was a small one.

In other words – postfix for the win! :)

This entry was posted on Thursday, July 10th, 2008 at 10:06 am and is filed under postfix. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

«
»

3 Responses to “postfix being DDoS’ed”

  1. klon July 10th, 2008 at 9:51 pm

    Who the heck would DDoS you?

  2. alex July 10th, 2008 at 10:00 pm

    Well, actually not ‘me’ but a server which belongs to the company i work for. And, looking at the IP’s, most of them were russian, so i guess russians tried to strike again

  3. klon July 10th, 2008 at 11:26 pm

    Heh, fucking script kiddies.

    But on the other hand, it’s really sad script kiddies became an instrument in the politics.

Leave a Reply