Mailbomb DDOS and Postfix solution

We‘resuddenly getting hit by a DDoS that’s mailbombing our SMTP server with many simultaneous incoming emails for email addresses that don‘t exist. So we‘re getting a lot of errors in our logs about rejected email because of “User unknown in local recipient table”. It took us a while to get a handle on this. We got part of the way with some hacks, but the server was still unstable. I posted questions on “http://plug.linux.org.ph“>the Philippine Linux User’s Group mailing list and the postfix-users mailing list, and I‘ve got a recipe of things to mitigate the problem.

Orly at mozcom says to do:

disable_vrfy_command = yes
smtpd_banner = $myhostname NO UCE ESMTP
smtpd_delay_reject = no

# slowing down bad clients [added recommendations from wietse]
# we NEED hard_error_limit in order for dictionary-attack stoppage to work
smtpd_error_sleep_time = 0s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_timeout = 30s

and Victor Duchovni on the postfix mailing list gave me the smtp_error_sleep time thing too. Thanks to both.

We‘ve checked with upstream and downstream mailservers and they‘re not getting bombed. So it’s probably a targetted DDoS. Some competitor in CDO is sufficiently worried about us that they‘re willing to pay real money to have thousands of zombie computers out there (many of the IPs resolve to dsl and cable companies in the states, so they‘re always-on, high bandwidth, cracked-wide-open windows boxes being orchestrated to attack us at the same time) attack us. We had a similar problem around midnight one night, very high UDP packets coming in. Ah well, there’s probably no way to trace this back to the person or company that commissioned this short of going and finding the person/persons who cracked those zombie machines and, well, dismembering them little by little until they squeal.

No comments: