|
|||
Server mail attack DDoS
Hi I would ask advanced user.how to defend mail server for attack DDoS .I have a mail account in Protonmail.com .This is mail server in Switzerland doesn't touch by "NSA".But how using OpenBSD you can defend your mail server.
https://twitter.com/protonmail?lang=pl https://www.facebook.com/protonmail/ Strange question but important to me .!! |
|
|||
how to defend mail server
Have you read the "Book of PF" by Peter N.M. Hansteen
-OR- Absolute OpenBSD by Michael W. Lucas -BOTH- have good practical examples goodluck |
|
|||
Hi I think malware was use as Linux/Xor.DDOS
http://blog.malwaremustdie.org/ But back for OpenBSD pf is able to filter 100Gbps.If I have mail server open 25 port and filter this port .The Pf is able protect that strong DDoS . But ProtonMail 3 guy from CERN know how to filter bad package .And doesn't handle with it. Ok for example I have OpenSMTPD open port 25 and 500 thousand user . What rule ""PF"" should to use protect me against DDoS . |
|
|||
You wrong. Biggest botnets are Microsoft related. Tell Microsoft to stop making vulnerabilities in Windows - voilà, no mass hacking, no big botnets.
I wonder why ( you ) Windows User want to use OpenSMTPD and pf? |
|
|||
Where I wrote .I want to use Server mail .
Quote:
And guy you not joking with me.You only use Linux and OpenBSD. if you do not know answer.Please do not waist my time . |
|
||||
Quote:
I'll repeat: How do you know a "good" packet from a "bad" packet? Quote:
I mentioned Stateful Tracking Options above. As an example, it can help by blocking an IP address when that IP address violates guidelines which the admin defines as "good" traffic. Let us pretend that I have a mail server and I wish to block any single client that tries to have more than one connection to my server, or connect more than once every 30 seconds. If an IP address tries to have two connections, or tries to connect more than once every half-minute, it is considered either a Denial Of Service (DOS) attack, or a misuse of services, and the address is blocked. This example ruleset is likely to block real, legitimate traffic, but I'm only using this to make a point regarding DDOS vs. DOS attacks. Code:
table <abusive_hosts> persist block in quick from <abusive_hosts> pass in on $ext_if proto tcp to $mail_server port 25 keep state \ (max-src-conn 1, max-src-conn-rate 30/1, overload <abusive_hosts> flush) Stateful tracking options can also limit the number of states that are allowed to be established in total from all IP addresses. Here's an example that only permits 1,000 simultaneous connections. Code:
pass in on $ext_if proto tcp to $mail_server port 25 keep state (max 1000) If the admin cannot determine which packets are good and which are bad, the admin cannot filter out only the bad traffic. It's that simple. As far as I know, very few evil doers are using the Evil Bit. Quote:
Last edited by jggimi; 7th November 2015 at 03:46 PM. Reason: typos, clarity, then restructuring for more clarity and more corrections |
|
|||
ddos dos attacks
The above mentioned books do give some nice examples of grey listing which may or
may not help you as well as how to set-up pf for handling (abusive hosts) which gives you many pf related knobs to turn when determining connection rate, source etc. The example mentioned above by jggimi concerning (abusive hosts) works well for us. We use tables for other filtering reasons which pf handles at amazing speed. Example: we filter out all traffic that is not from a usip (cidr) block. The search by pf is almost instantaneous for such a large number of ip's. Once again if you can answer jggimi's question concerning what is a bad packet pf may be able to help you defend against it. |
|
|||
Probably they don't have enough hardware (processing power) to deal with such a big DDOS attack.
|
|
||||
I know very little about XOR DDOS attacks themselves, only that they are SYN and DNS attacks with spoofed IP addresses and spoofed TTL values from zombied Linux bot-armies. Commercial firms such as Akamai are selling mitigation solutions with specifics. Since I don't have any specifics, I can only postulate that that the SYN flood attacks, if they are deployed, might be mitigated by PF's synproxy state option. I don't know for certain, and this doesn't address the other possible forms of attack.
Last edited by jggimi; 7th November 2015 at 05:44 PM. Reason: clarity |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
HTTPS-crippling attack threatens tens of thousands of Web and mail servers | J65nko | News | 8 | 22nd May 2015 06:50 AM |
Security Attackers trick 162,000 WordPress sites into launching DDoS attack | J65nko | News | 0 | 12th March 2014 06:00 PM |
Europe shrugs off largest DDoS attack yet, traffic tops 400Gbps | J65nko | News | 0 | 12th February 2014 01:26 AM |
Large-scale DNS DDoS attack on Spamhaus | J65nko | News | 1 | 28th March 2013 10:54 PM |
supress UDP ddos attack | chris | FreeBSD Security | 4 | 9th July 2008 02:46 PM |