[Pool] defending against DDoS attacks

Mouse mouse at Rodents-Montreal.ORG
Sat Feb 22 01:35:03 UTC 2014


> What I saw was a server that WAS serving monlist packets.  I
> corrected the config to fix this, and was still seeing 2000+ packets
> a second incoming.

That will continue for a nontrivial time.

I used to just rate-block (like rate-limiting except that when the
limit trips, it drops them all, not just the ones that exceed the
limit).  In an email exchange with a victim site, I finally said "nolo
contendere" and ripped REQ_MON_GETLIST and REQ_MON_GETLIST_1 support
out entirely.

That was over a week ago.  I'm still getting high rates of packets to
port 123, even though I haven't supported monlist for over a week.

> The IPTables rule stops that, and other abusive (too chatty) clients.

> Never hurts to have two lines of defense.

True.  I still have my rate-trips up too.  The blacklist in my border
is cruising around 1K entries, almost all of them having landed there
because of excessive port-123 traffic.  (About 99%, based on a
quick-&-dirty log scan - list's at 1065 and had 11 other "add"s.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the pool mailing list