As you don't seem to be getting any other answers, here is my 'best effort' (for the bits where I have any idea).
Quote:
Originally Posted by JustGettinBy
I need help stopping a DdOS attack on port 25.
|
Most of the people who report that they have a DDoS, don't. You seem to have looked for the right stuff, so I'll assume that you, unlike them, actually do have a DDoS.
I need to also note that most people who have a DDoS either
- have a business like a casino where they are obviously losing money per minute and thus are under pressure to pay
- have seriously upset someone (someone nasty)
and you don't seem to fit into either of those categories. Do you have a reason that 'they' are attacking you?
In any case, you may well have to contact your upstream to get assistance. If 'they' have enough bandwidth to deploy against you (and bandwidth costs money), and are prepared to do it, then you are trouble, whatever you do locally, so upstream assistance would be required.
Anyway, on to some palliative measures that may or may not be useful, in the short term.
Quote:
Originally Posted by JustGettinBy
(D)DosDeflate...???
|
IMHO, not that. I looked at it, out of general interest, a couple of years back, and it has some odd features. I can't see how it works against a true DDoS, but it may work against a plain DoS or a DDoS with a very limited number of sources (which makes it not a real DDoS).
In addition, there seemed to be some odd features
The same code seemed to be claimed as theirs by a couple of different individuals. One of them reacted by getting abusive to anybody who queried his proprietorship or understanding, and that seemed an odd and unhelpful response. But, this is the internet, I suppose...
Quote:
Originally Posted by JustGettinBy
The attacker is spoofing IP's from major senders such as hotmail.com and gmail.com so firewall rules are not an effective long term fix...On my --very basic firewall-- appliance, I added 11 different deny rules for x.x.x.x/16 to stop the bulk of the inbound connections.
|
Let's just say that whether firewall rules are or are not a possible way forward, those firewall rules seem unlikely to work against a real DDoS. It remains to be seen whether doing something 'cleverer'/different has any more potential in it.
I'll also point out that iptables is a real firewall, just not necessarily in a separate appliance (piece of hardware). It is very flexible, but all of its features are not necessarily obvious from a surface skim, and certainly not from some kind of '...made easy...' front end (so, if you have been using one of the GUI things, you may have to stop, in order to get more flexibility). And maybe you need to say something about the physical set-up, because it is unclear to me whether adding a separate box to do firewalling is at all possible.
(And the compulsory mention for the tutorial/manual at
frozentux. Must read, even if long.)
Is whitelisting a possibility? You host ~150 mailboxes, so your list of 'white' IPs
could be small-ish. Probably causes an issue when a new 'white' IP needs to be created, but maybe that could be proceduralised, somehow.
How many individual ip addresses would you need to blacklist (based on current numbers, which would presumably grow, if you did start blacklisting existing bad guys); that might still be manageable, partic with ipset.
(Actually, the biggest problem with big numbers is probably the 'managing the lists, without errors and still being able to add and subtract IPs' rather than 'can the software cope with a big list' problem. At least, that's the one that bites first.)
