[Pool] defending against DDoS attacks
mouse at Rodents-Montreal.ORG
Sat Feb 22 01:35:03 UTC 2014
> What I saw was a server that WAS serving monlist packets. I
> corrected the config to fix this, and was still seeing 2000+ packets
> a second incoming.
That will continue for a nontrivial time.
I used to just rate-block (like rate-limiting except that when the
limit trips, it drops them all, not just the ones that exceed the
limit). In an email exchange with a victim site, I finally said "nolo
contendere" and ripped REQ_MON_GETLIST and REQ_MON_GETLIST_1 support
That was over a week ago. I'm still getting high rates of packets to
port 123, even though I haven't supported monlist for over a week.
> The IPTables rule stops that, and other abusive (too chatty) clients.
> Never hurts to have two lines of defense.
True. I still have my rate-trips up too. The blacklist in my border
is cruising around 1K entries, almost all of them having landed there
because of excessive port-123 traffic. (About 99%, based on a
quick-&-dirty log scan - list's at 1065 and had 11 other "add"s.)
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
More information about the pool