[TriLUG] Strange mailserver flood
Brian Daniels
bitmage at pobox.com
Wed Apr 30 10:36:12 EDT 2008
On Wed, Apr 30, 2008 at 10:25:23AM -0400, Lance A. Brown wrote:
> > The attack resembles a mini-DDoS more than anything else. I haven't figured out
> > any method of blocking it, as it appears that each 'attacking' machine only
> > sends one message to us - there's just a bunch of them in the botnet.
> > Suggestions are welcome!
>
> Well, that negates my idea then... :-(
>
Actually, it's a good one. Looking deeper into the logs, it looks like fail2ban
blocked several thousand of them. I was wrong about the one machine-one message
above.
Unfortunately, the flood is more than the tcp stack can handle. I have to look
into tuning that...
--Brian
--
Be it thy course to busy giddy minds
With foreign quarrels; that action, hence borne out,
May waste the memory of the former days.
Henry IV, Part 2
Brian Daniels bitmage at pobox.com
http://www.eviloverlord.net
More information about the TriLUG
mailing list