[geeks] Surviving a DDoS

Ido Dubrawsky ido at dubrawsky.org
Sun Nov 25 16:39:53 CST 2007


So, last night I got a rude awakening when I noticed that all of my
e-mail had stopped as of Friday afternoon around 4 p.m.  Apparently I
had maxed out the Postfix processes I had configured (I allowed myself
100 processes but Postfix had 101 smtpd processes running).  After about
5 minutes of investigating I discovered that I was the recipient of an
e-mail resource starvation attack.  Someone has a botnet out there that
was flooding my e-mail server with bogus connections trying to send
e-mail to randomly generated users in my Silicon Security
(siliconsec.com) domain.  Suffice it to say the first thing I did was
block the traffic (although I am still getting significant numbers of
hits -- on the order of 300 per minute -- on my external firewall). 
I've resolved the problem for now and I'm working with my ISP in trying
to get to the bottom of this (I can't imagine who I could have offended
or pissed off since I haven't used that domain in over a year).  Perhaps
they're trying to "put me out of business" in order to steal the
domain?  I don't know.  As it is, if you've gotten bounced mail that you
sent to me, I think I've gotten things straightened out.  At some point
I'll blog what I did to resolve this (or perhaps I won't as that will
give whoever is out there more info to try and attack me again).  I
have, however, notified a friend in the FBI who works on cybercrime
cases and will get my logs to them soon.  This just happened out of the
blue...and what's even more interesting is that this is only targeting
the e-mail server and not the web server.  How weird is that?

Ido

-- 
===============================================================================
Ido Dubrawsky, CISSP              
Network Security Architect
dubrawsky.org
===============================================================================



---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 071125-0, 11/25/2007
Tested on: 11/25/2007 5:39:54 PM
avast! - copyright (c) 1988-2007 ALWIL Software.
http://www.avast.com




-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the geeks mailing list