Results 1 to 5 of 5
  1. #1

    Help with SMTP ddos

    Hello everyone,

    For the past 2 days we are under what I think is a DDOS attack over SMTP...

    The environnement is a web hosting company and for now there is only one shared hosting server affected.

    Server is a Centos 6.5 with Plesk 11.5.30 and Postfix as mail server (everything up-to-date)

    The attack shows up in the maillog with multiple bad request :
    Jan 30 12:50:11 SERVER postfix/smtpd[13721]: disconnect from unknown[GATEWAY]
    Jan 30 12:50:11 SERVER postfix/smtpd[12252]: lost connection after UNKNOWN from unknown[GATEWAY]
    Jan 30 12:50:11 SERVER postfix/smtpd[12252]: disconnect from unknown[GATEWAY]
    Jan 30 12:50:12 SERVER postfix/smtpd[13574]: connect from unknown[GATEWAY]
    Jan 30 12:50:12 SERVER postfix/smtpd[13372]: lost connection after UNKNOWN from unknown[GATEWAY]
    Jan 30 12:50:12 SERVER postfix/smtpd[13372]: disconnect from unknown[GATEWAY]

    And sometimes
    warning: non-SMTP command from unknown[GATEWAY]: h:??M???2?,??e? ???&?<=,?[?1?z?7?3g=???B???Hf^^N???S0??Y??"_?u?d?`?j???p?7?vnW?|?t(??????L??????????

    Server is Nated by the firewall so that's why its IP is shown in the log (so I can't blacklist from here)

    I tried to capture with tshark from the firewall and it seems that a bugged command is sent before the greeting banner.. From that I tried multiple pootfix options (smtpd_delay_reject no, smtp_helo_restriction, client_restriction with sleep 2,...) but postfix never kills the connection.

    Emails are still delivered but the problem is an increasing memory consumption of smtp/amavis process which leads to an "OOM kill" of http process...That's why customers are complaining...

    If anyone has ever faced this issue I would be glad to ear from that!

  2. #2
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    The main issue is that you use a firewall infront of your SMTP, that doesn't block these requests. Otherwise it would have been easy enough to write a custom regex for fail2ban that for instance bans IPs that generate "warning: non-SMTP command from" errors. Other solutions you could try would be putting a TCP proxy infront of your MTA, which only forwards full TCP connections and hope that this blocks the malicious requests or use iptables with string matching to drop requests to port 25 that contain binary data (not sure if there's any pattern you could use).
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  3. #3
    Join Date
    Dec 2006
    Location
    London, UK
    Posts
    628
    I've had a similar problem, and fail2ban was no use because the source of the attack seems to have been a botnet with about 300,000 different IP addresses. Another consequence was logfiles filling the disc, but the server kept working.

    Enabling postscreen (http://www.postfix.org/POSTSCREEN_README.html) made a big difference in my case. I had to upgrade to a more recent OS (Ubuntu 12.04) to do this.
    Phil McKerracher

  4. #4
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,153
    postscreen sounds like a very good idea, I didn't know about this yet. Although, are you certain that this will work behind NAT (I didn't read through the whole documentation)?
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  5. #5
    Thanks guys for the help!

    I've tried postscreen with no luck, I think beacause of NAT it whitelist one good mail and let other crappy connections pass throught..

    Jan 30 16:42:43 SERVER postfix/postscreen[22702]: CONNECT from [GATEWAY]:57894
    Jan 30 16:42:43 SERVER postfix/postscreen[22702]: PASS OLD [GATEWAY]:57894

    To help a little (very little) bit I've blocked up to 3100 ips on the firewall, now websites are loading after 30 sec (more than 2 minutes before)

    But I now that iptables can't handle a very large number of rules (100.000?) so this will not be effective if there's 300.000 ips involved in like you had Phil...

    I've got also "request longer than 2048: ..." in the mailog
    Is it safe to drop packets bigger than that for SMTP communications?

Similar Threads

  1. Replies: 0
    Last Post: 08-24-2013, 06:33 AM
  2. Replies: 5
    Last Post: 07-15-2013, 07:28 PM
  3. Dedicated smtp or VPS smtp
    By leptserkhan in forum Dedicated Server
    Replies: 4
    Last Post: 05-15-2011, 02:42 PM
  4. smtp restrict with smtp auth
    By rungu in forum Hosting Security and Technology Tutorials
    Replies: 0
    Last Post: 06-18-2004, 01:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •