Article 13595 at 08/07/25 08:53:03 From: greg.kuhnert (at mark) theanchoragesylvania.com Subject: [coba-e:13595] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Fri, 25 Jul 2008 09:52:30 +1000
From:  Greg Kuhnert <greg.kuhnert (at mark) theanchoragesylvania.com>
Subject:  [coba-e:13595] Re: Dovecot/POP3 Flood
To:  patricko <patricko (at mark) staff.singnet.com.sg>
Cc:  coba-e (at mark) bluequartz.org
Message-Id:  <488915BE.4000303 (at mark) theanchoragesylvania.com>
In-Reply-To:  <20080724104251.3546babe@patricko>
References:  <1216778280.25751.5.camel (at mark) columbus.webtent.org> <20080724104251.3546babe (at mark) patricko>
X-Mail-Count: 13595

Hi Patricko.

FYI, I have done some "ipt_recent" iptables stuff before. In my case, I 
was doing some throttling for a web site where users were using 
"download accelerators" on really large files. The problem was, that 
some of the end users had 100+ open simultaneous sessions to apache, 
which was not good for load or memory usage.

ipt_recent was a great solution - but over time, I found it had a memory 
leak. The only way to reclaim memory was a reboot of the server.

I ended up doing stuff using mod_cband to fix my problem..... but if I 
had a choice, ipt_recent is my preferred solution.... if I could find 
out how to stabilise it.

Regards,
Greg.

patricko wrote:
>
> [Layer 4 Flood control in iptables]
>
> ## stamped all traffic in /proc/net/ipt_recent/DEFAULT 
> -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name DEFAULT --rsource 
> ## Rate limit 1 connection per sec, burst @ 2 connections (ps: this is the minimium!)
> -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 --name DEFAULT --rsource -j DROP 
>
>
> ### Check control is tracking
>
> cat /proc/net/ipt_recent/DEFAULT 
>
> src=219.74.51.247 ttl: 121 last_seen: 1956585471 oldest_pkt: 1
> last_pkts: 1956585471 src=203.77.177.71 ttl: 55 last_seen: 1956582001
> oldest_pkt: 2 last_pkts: 1956580036, 1956582001, 1956559582,
> 1956562414, 1956562578, 1956562578, 1956566109, 1956566288, 1956566288,
> 1956566379, 1956566379, 1956566655, 1956566655, 1956572789, 1956572803,
> 1956572803, 1956575804, 1956576866, 1956577023, 1956577023
> src=220.255.140.57 ttl: 121 last_seen: 1956592990 oldest_pkt: 1
> last_pkts: 1956592990 src=116.14.197.29 ttl: 120 last_seen: 1956591639
> oldest_pkt: 1 last_pkts: 1956591639
>
> ### Check control is working
>
> netstat -anop 
>
> and list IP to 110, you will see Only 2 active connections per IP 
>
>
>
>
> On Tue, 22 Jul 2008 21:57:59 -0400
> Robert Fitzpatrick <lists (at mark) webtent.net> wrote:
>
>   
>> I've seen some talk about Dovecot repeating password prompts on the list
>> and while this happens to us from time to time, the procedure for
>> restarting some things along with dbrecover always seems to work.
>> Tonight I had two servers do it at the same time, so I'm assuming a
>> flood/attack of some sort?
>>
>> Is there any recommended way or dovecot settings to avoid this from
>> happening?
>>
>> -- 
>> Robert
>>
>>
>>     
>
>
>