[c-nsp] Mial bomb mitigation

nevot r.nevot at gmail.com
Thu Jun 16 20:00:18 EDT 2005


Focus on the mail server
things like sleeping connections 2 seconds between the connection and
the first message, and unauthorize pipelining of smtp commands are
very useful to mitigate this.
Although we fall in off-topic, what MTA is behind the pix?

2005/6/15, Brian Turnbow <b.turnbow at twt.it>:
> You wouldn't want to share your list would you?
> We have more or less gotten things back under control by changing the mx record and "good" mail is moving again, as the attack remains twords the old IP address,but I'm afraid that when the cache times out that things will start again tommorrow.
> I've never seen such a well done bomb. The message and subject change just enough every couple of minutes that filtering is impossible and we've logged about 10.000 different Ips from all over the globe as sources.
> 
> Thanks to all
> Brian
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Franklin
> Sent: mercoledì 15 giugno 2005 18.27
> To: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Mial bomb mitigation
> 
> > There are many sendmail techniques regarding reverse DNS that can be
> > used.
> 
> On a personal level, feeding a few dial-up lists to Postfix has worked
> wonders for me.  If the victim is seeing thousands of different IP
> addresses, there's a good chance it's residential zombies, and most of these
> will be caught by the DULs.  I've only used this against spam though, not a
> concentrated attack - I don't know how much it will help the load on the
> server.
> 
> Greylisting is also a personal huge win against spam, but how effective this
> is against a mail-bomb will depend on how the attacker behaves when faced
> with a 4xx code, and whether the problem is coming from the number of
> connections or the volume of message bodies.
> 
> Of course, both of these do have the potential for collateral damage, which
> is a different decision to make on a company mail server than a personal
> one...
> 
> Regards,
> Tim.
> 
> --
> ____________   Tim Franklin                 e: tim at colt.net
> \C/\O/\L/\T/   Product Engineering Manager  w: www.colt.net
> V  V  V  V    Managed Data Services        t: +44 20 7863 5714
> Data | Voice | Managed Services             f: +44 20 7863 5876
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list