Server mail attack DDoS

[pawkolor]

Hi I would ask advanced user.how to defend mail server for attack DDoS .I have a mail account in Protonmail.com .This is mail server in Switzerland doesn't touch by "NSA".But how using OpenBSD you can defend your mail server.

https://twitter.com/protonmail?lang=pl
https://www.facebook.com/protonmail/

Strange question but important to me .!!

[frcc]

Have you read the "Book of PF" by Peter N.M. Hansteen

-OR-

Absolute OpenBSD by Michael W. Lucas


-BOTH-

have good practical examples


goodluck

[jggimi]

The wordpress page states that this began as an attack against a single server, but continued against the upstream infrastructure.

Without knowing anything more than this, it's impossible to provide any useful advice. So I'll reply in the same vague terms.

There are three steps:

1. Determine the nature of an attack, and how it differs from valid, desired traffic.
2. Block the bad traffic, and the bad traffic only.
3. Go to Step 1, for the next attack.

Can tools like PF help? Sure. Stateful Tracking Options are an easy fix for certain types of DOS attacks. But not for all.

And any sort of PF rule won't help until you reach Step 2. Getting there requires completing Step 1. And that's the hard part.

[pawkolor]

Hi I think malware was use as Linux/Xor.DDOS
http://blog.malwaremustdie.org/

But back for OpenBSD pf is able to filter 100Gbps.If I have mail server open 25 port and filter this port .The Pf is able protect that strong DDoS .

But ProtonMail 3 guy from CERN know how to filter bad package .And doesn't handle with it.

Ok for example I have OpenSMTPD open port 25 and 500 thousand user .
What rule ""PF"" should to use protect me against DDoS .

[Nomega]

You wrong. Biggest botnets are Microsoft related. Tell Microsoft to stop making vulnerabilities in Windows - voilà, no mass hacking, no big botnets.

I wonder why ( you ) Windows User want to use OpenSMTPD and pf?

[pawkolor]

Where I wrote .I want to use Server mail .

Quote:

for example I have OpenSMTPD open port 25 and 500 thousand user .
What rule ""PF"" should to use protect me against DDoS .

I want to understanding How ProtonMail should to protect his mail server .

And guy you not joking with me.You only use Linux and OpenBSD.
if you do not know answer.Please do not waist my time .

[jggimi]

Quote:

Originally Posted by pawkolor

Hi I think malware was use as Linux/Xor.DDOS
http://blog.malwaremustdie.org/

I do not have access, and without details on the type of ongoing attacks, I cannot point you to any PF rules that would be of value. I must continue to be vague and useless.

I'll repeat: How do you know a "good" packet from a "bad" packet?

Quote:

If I have mail server open 25 port and filter this port .The Pf is able protect that strong DDoS .

I'll try again. Until you can tell your packet filtering "firewall" tool which packets are good and which packets are bad, it doesn't matter which tool you use. As for PF, it can only make decisions based on information available to it in Layer 3, such as IP addresses, IP protocols, and IP / TCP / UDP packet headers.

I mentioned Stateful Tracking Options above. As an example, it can help by blocking an IP address when that IP address violates guidelines which the admin defines as "good" traffic.

Let us pretend that I have a mail server and I wish to block any single client that tries to have more than one connection to my server, or connect more than once every 30 seconds. If an IP address tries to have two connections, or tries to connect more than once every half-minute, it is considered either a Denial Of Service (DOS) attack, or a misuse of services, and the address is blocked.

This example ruleset is likely to block real, legitimate traffic, but I'm only using this to make a point regarding DDOS vs. DOS attacks.

Code:

table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $ext_if proto tcp to $mail_server port 25 keep state \
    (max-src-conn 1, max-src-conn-rate 30/1, overload <abusive_hosts> flush)

What's different about DDOS? It's a Distributed Denial Of Service attack. If there is a bot-army of 100,000 random IP addresses, each connecting twice every minute, that's 200,000 connections per minute that this very restrictuve ruleset would pass to the mail server.

Stateful tracking options can also limit the number of states that are allowed to be established in total from all IP addresses. Here's an example that only permits 1,000 simultaneous connections.

Code:

pass in on $ext_if proto tcp to $mail_server port 25 keep state (max 1000)

That may keep the mail server functional, since it limits the number of connections from all IP addresses, but it does not stop the denial of service, since legitimate traffic is blocked.

If the admin cannot determine which packets are good and which are bad, the admin cannot filter out only the bad traffic. It's that simple. As far as I know, very few evil doers are using the Evil Bit.

Quote:

But back for OpenBSD pf is able to filter 100Gbps.

That blanket statement is not meaningful. PF throughput performance is currently constrained by multiple factors, such as the speed of a single CPU, the specific NICs deployed, and the number of packets per second to be processed.

[frcc]

The above mentioned books do give some nice examples of grey listing which may or
may not help you as well as how to set-up pf for handling (abusive hosts) which gives
you many pf related knobs to turn when determining connection rate, source etc.
The example mentioned above by jggimi concerning (abusive hosts) works well for us.
We use tables for other filtering reasons which pf handles at amazing speed.
Example: we filter out all traffic that is not from a usip (cidr) block.
The search by pf is almost instantaneous for such a large number of ip's.

Once again if you can answer jggimi's question concerning what is a bad packet
pf may be able to help you defend against it.

[e1-531g]

Quote:

Originally Posted by pawkolor

But ProtonMail 3 guy from CERN know how to filter bad package .And doesn't handle with it.

Probably they don't have enough hardware (processing power) to deal with such a big DDOS attack.

[jggimi]

I know very little about XOR DDOS attacks themselves, only that they are SYN and DNS attacks with spoofed IP addresses and spoofed TTL values from zombied Linux bot-armies. Commercial firms such as Akamai are selling mitigation solutions with specifics. Since I don't have any specifics, I can only postulate that that the SYN flood attacks, if they are deployed, might be mitigated by PF's synproxy state option. I don't know for certain, and this doesn't address the other possible forms of attack.