Protect sendmail from DoS

Wed Nov 2 15:50:49 UTC 2005

DoS attacks such as Ping of Death can not be eliminated
but can be reduced by using Routers and switches with Firewall features,
PIX-Firewall and IDS/IPS.

Firewall features can include Intrusion detection, java blocking, DoS
detection,
ACL, ext. ACL, Context based access control (CBAC)...etc.

CBAC can be configured to inspect and filter IP/TCP and UDP traffic, by
adding
advanced traffic filtering functionality to examining packets at network and
transport layer.

in your case configure CBAC to do SMTP inspection, it will search SMTP for
illegal/unknown SMTP commands.

 On 11/1/05, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
>
> Dosing is a pretty rare occurrence, unless you are being specifically
> targeted don't worry about it IMHO. DoSing usually means a specific
> person or group wants to kill you off, they have decided for what ever
> reason they want you dead. There are so many ways that these people can
> do it for small users that in effect there is little you can do. If you
> could defeat them at the box itself all they have to do is flex a little
> bit more muscle and DoS your upstream router(s).
>
> They can attach from literally thousands of smtp drones, or if that is
> not enough spam you through open relays with large emails, say 4~10meg a
> shot, a few hundred of them coming in will bog down your server.
>
> The problem will be iptables looks at the packets that make up the email
> and not the content of the email.
>
> So you need to do any blocking or rate limiting at the smtp level ie per
> message and not the IP level which is per packet type thing.
>
> Why are you so concerned about DoS? There are more important things
> spend the time learning how to harden the box and tune sendmail, or look
> at postfix or qmail.
>
> DoS should not be a huge risk, but if it is then you can do little, but
> ride it out.
>
> Regards
>
> Thing
>
> -----Original Message-----
> From: Devon Harding [mailto: devonharding at gmail.com]
> Sent: Wednesday, 2 November 2005 2:08 p.m.
> To: General Red Hat Linux discussion list
> Subject: Re: Protect sendmail from DoS
>
> Is there some way of using something like IPTABLES to block if it sees a
> certain amount of connections from a particualar IP? I know Ciphertrust
> Ironmail does this.
>
> On 11/1/05, Steven Jones <Steven.Jones at vuw.ac.nz> wrote:
> >
> > Sendmail has some protection in terms of load limiting, these are a
> bit
> > high so you can set them lower so the server recovers sooner. This
> will
> > save your server but in effect it allows DoS sooner.
> >
> > Possibly you do not understand what a DoS is. DoS is a function of
> your
> > attacker overloading your network or server's capacity to handle
> network
> > traffic sent at it.
> >
> > These days unless you are a big organisation with huge pipes, big
> > multiple servers and deep pockets, and someone wants you dead, your
> > dead.
> >
> > If someone wants to take your server out they can, it is simply a
> matter
> > of logistics, they control 30 or 300 or 3000 or 30000 spam drones of
> > hacked broadband connections and the volume these generate is amazing.
> >
> > I was Dos'd a while back, I was sent 5+gig of volume in 2~3 minutes,
> my
> > 512k cable modem could not cope so in effect the DoS happened at the
> > ISP's end of my pipe, totally outside of my control.
> >
> > Modern machines, even desktop ones should be able to handle a lot of
> > mail, if you are having issues with DoS's then maybe it is something
> > else.
> >
> > Regards
> >
> > Thing
> >
> >
> >
> > -----Original Message-----
> > From: Devon Harding [mailto:devonharding at gmail.com ]
> > Sent: Wednesday, 2 November 2005 10:43 a.m.
> > To: General Red Hat Linux discussion list
> > Subject: Protect sendmail from DoS
> >
> > How can I protect my sendmail server against DoS attacks?
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=subscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com ?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto: redhat-list-request at redhat.com?subject=subscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
> --
> redhat-list mailing list
> unsubscribe mailto: redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

--
madunix at gmail.com
Dipl.-Ing. Nachrichtentechnik (University of RWTH Aachen)
Systems and Network Engineer
MCSE, IBM AIX System Specialist, CCNP