Article 13596 at 08/07/25 09:11:03 From: rcaron (at mark) nwdemarc.com Subject: [coba-e:13596] Re: Dovecot/POP3 Flood

Index: [Article Count Order] [Thread]
Date:  Thu, 24 Jul 2008 17:05:50 -0700
From:  "rcaron" <rcaron (at mark) nwdemarc.com>
Subject:  [coba-e:13596] Re: Dovecot/POP3 Flood
To:  coba-e (at mark) bluequartz.org
Message-Id:  <20080725000156.M25819 (at mark) nwdemarc.com>
In-Reply-To:  <488915BE.4000303 (at mark) theanchoragesylvania.com>
References:  <1216778280.25751.5.camel (at mark) columbus.webtent.org> <20080724104251.3546babe (at mark) patricko> <488915BE.4000303 (at mark) theanchoragesylvania.com>
X-Mail-Count: 13596

Would it be better to have a firewall with Deep packet inspection to handle
the flood/ attacks.

Not to start anything but since I put up a Transparent firewall with Deep
packed inspection I have not had a problem.

Rob





On Fri, 25 Jul 2008 09:52:30 +1000, Greg Kuhnert wrote
> Hi Patricko.
> 
> FYI, I have done some "ipt_recent" iptables stuff before. In my case,
>  I was doing some throttling for a web site where users were using 
> "download accelerators" on really large files. The problem was, that 
> some of the end users had 100+ open simultaneous sessions to apache, 
> which was not good for load or memory usage.
> 
> ipt_recent was a great solution - but over time, I found it had a 
> memory leak. The only way to reclaim memory was a reboot of the server.
> 
> I ended up doing stuff using mod_cband to fix my problem..... but if 
> I had a choice, ipt_recent is my preferred solution.... if I could 
> find out how to stabilise it.
> 
> Regards,
> Greg.
> 
> patricko wrote:
> >
> > [Layer 4 Flood control in iptables]
> >
> > ## stamped all traffic in /proc/net/ipt_recent/DEFAULT 
> > -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent
--set --name DEFAULT --rsource 
> > ## Rate limit 1 connection per sec, burst @ 2 connections (ps: this is the
minimium!)
> > -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent
--update --seconds 1 --hitcount 2 --name DEFAULT --rsource -j DROP 
> >
> >
> > ### Check control is tracking
> >
> > cat /proc/net/ipt_recent/DEFAULT 
> >
> > src=219.74.51.247 ttl: 121 last_seen: 1956585471 oldest_pkt: 1
> > last_pkts: 1956585471 src=203.77.177.71 ttl: 55 last_seen: 1956582001
> > oldest_pkt: 2 last_pkts: 1956580036, 1956582001, 1956559582,
> > 1956562414, 1956562578, 1956562578, 1956566109, 1956566288, 1956566288,
> > 1956566379, 1956566379, 1956566655, 1956566655, 1956572789, 1956572803,
> > 1956572803, 1956575804, 1956576866, 1956577023, 1956577023
> > src=220.255.140.57 ttl: 121 last_seen: 1956592990 oldest_pkt: 1
> > last_pkts: 1956592990 src=116.14.197.29 ttl: 120 last_seen: 1956591639
> > oldest_pkt: 1 last_pkts: 1956591639
> >
> > ### Check control is working
> >
> > netstat -anop 
> >
> > and list IP to 110, you will see Only 2 active connections per IP 
> >
> >
> >
> >
> > On Tue, 22 Jul 2008 21:57:59 -0400
> > Robert Fitzpatrick <lists (at mark) webtent.net> wrote:
> >
> >   
> >> I've seen some talk about Dovecot repeating password prompts on the list
> >> and while this happens to us from time to time, the procedure for
> >> restarting some things along with dbrecover always seems to work.
> >> Tonight I had two servers do it at the same time, so I'm assuming a
> >> flood/attack of some sort?
> >>
> >> Is there any recommended way or dovecot settings to avoid this from
> >> happening?
> >>
> >> -- 
> >> Robert
> >>
> >>
> >>     
> >
> >
> >