Security Incidents mailing list archives
Re: Distributed spam-based DoS in progress
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Tue, 18 Feb 2003 07:48:20 +0100 (CET)
On Mon, 17 Feb 2003, Transistor Sister wrote:
We are currently experiencing a DoS attack against our mail relays. The attack was first noticed on Sunday morning EST when our mail queues began to fill. Initially, the attack came from roughly 100 or so hosts sending varied spam to nonexistant users at our domain, which could not be bounced back to the originating host. The nature of the messages are so varied that they may have been taken from a spam archive somewhere. We counted well over 70 thousand messages spread over our 4 relays from these hosts, some queues large enough to take the relay down. We began filtering to get some of this under control, only to have it migrate to a new set of hosts and increasing in intensity tonight at about 6PM EST. We now have over 300 unique IPs blocked at the router. I am not sure whether anyone else is seeing this, and although I did find a couple of related issues from users on the spamcop list from November of last year, spam only seems to be the means by which the DoS is accomplished. I wanted to bring this out in the event that someone else may have seen this type of attack. If so, any additional information would be valuable.
Pardon me for noting that your mailserver seems to be broken.
If a message is undeliverable it will be bounced BUT if the bounce message
can not be delivered it will be discarded immediatly to prevent double
bounce loops.
See also RFC 2821 section 4.5.5
Hugo.
--
All email sent to me is bound to the rules described on my homepage.
hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Distributed spam-based DoS in progress Transistor Sister (Feb 17)
- Re: Distributed spam-based DoS in progress Hugo van der Kooij (Feb 18)
- Re: Distributed spam-based DoS in progress Valdis . Kletnieks (Feb 18)
- Re: Distributed spam-based DoS in progress Kee Hinckley (Feb 19)
- Re: Distributed spam-based DoS in progress Transistor Sister (Feb 19)
- Re: Distributed spam-based DoS in progress Rohan Amin (Feb 20)
- RE: Distributed spam-based DoS in progress Steve Drees (Feb 19)
- Re: Distributed spam-based DoS in progress Transistor Sister (Feb 19)
- <Possible follow-ups>
- RE: Distributed spam-based DoS in progress Dave Hart (Feb 18)
- RE: Distributed spam-based DoS in progress Hugo van der Kooij (Feb 19)
- RE: Distributed spam-based DoS in progress Dave Hart (Feb 19)
- Re: Distributed spam-based DoS in progress Hugo van der Kooij (Feb 18)