Re: [tlug] gstewart@example.com mail not working

[Curt Sampson <cjs@example.com>]

On 2010-03-15 09:56 +0100 (Mon), Christian Horn wrote:

> There is an other nice approach worth mentioning: Trapit, in german
> Teergrube. Here once the server made the decision the connection is
> not desired its not cancelling the connection but just keeping it
> open. If you get many connections from different ips this will tend to
> waste your ressources....

Actually, I suspect that if you set things up correctly there's no
reason that it should use any resources at all. I do believe that if
you've sent no data, there's no state you need to keep; you can get all
the information you need to fabricate a reply (acknowledging the data
they've sent that you are ignoring) from the incoming TCP packet itself.

Well, I guess you'd want to keep track of which addresses you're
applying this to, so that you don't confuse valid TCP sessions.

Still, it's a pretty neat idea.

That said; I would be perfectly happy if Mr. Stewart would simply use
the rate-limiting built into iptables to block attacks while allowing
the good guys in, rather than doing things normally designed to waste
the time of anybody trying to make use of proffered services.

  http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html

That would be, of course, only if you're not using postfix, which has
its own rate limiting:

  http://www.postfix.org/TUNING_README.html#conn_limit

cjs
-- 
Curt Sampson         <cjs@example.com>         +81 90 7737 2974
             http://www.starling-software.com
The power of accurate observation is commonly called cynicism
by those who have not got it.    --George Bernard Shaw