Re: [tlug] gstewart@example.com mail not working

[Attila Kinali <attila@example.com>]

Moin,

On Sun, 14 Mar 2010 22:53:25 -0000 (GMT)
"Godwin Stewart" <gstewart@example.com> wrote:

> > Or are you just completely unaware that you could avoid rudely wasting
> > people's time by allowing the connection and sending a standard "554
> > 5.7.1 Service unavailable; Client host [1.2.3.4] blocked because I
> > refuse mail from all Asian hosts" or whatever?
> 
> That's what I used to do until my server was getting hammered by dozens of
> SMTP sessions per second, effectively becoming an ongoing DDoS attack.
> Using the MTA to reject those connections was not something that was going
> to scale and I was not about to start spending more money to get a better
> server with more bandwith, more RAM and more horsepower.

Here, i have to agree with Curt. I don't think that a machine can be
brought down by SMTP alone. Not with so little connections. Of course,
unless you are using a 386 for your mails.

Being a free-time-sysadmin myself, and one that is managing some servers
with high exposure, i've to say, that i've not seen any of my machines
being brought down by any single service (save one instance where a
cgi script that used a lot of CPU was hammered directly, but that's
IMHO sysadmin fault).

IMHO the right solution would be to rate limit all incomming connection.
Linux provides nice ways that you can limit the number of new connections
per second.

Also, you should not drop the incomming packets completely but instead
send an ICMP port not reachable (aka use -j REJECT), this way it'll be
clear to the sysadmin, that the host itself is up, but something else
is going on.


				Attila Kinali
-- 
If you want to walk fast, walk alone.
If you want to walk far, walk together.
		-- African proverb