[geeks] Surviving a DDoS

Ido Dubrawsky ido at dubrawsky.org
Tue Nov 27 07:48:20 CST 2007 

Phil Stracchino Wrote: > >> der Mouse wrote: >>> After about 5 minutes
of investigating I discovered that I was the >>> recipient of an e-mail
resource starvation attack. Someone has a >>> botnet out there that was
flooding my e-mail server with bogus >>> connections trying to send
e-mail to randomly generated users in my >>> Silicon Security
(siliconsec.com) domain >> >> Do you have any particular reason to think
it's an attack per se rather >> than just blowback from a span run that
happened to forge users at your >> domain as the senders? I've seen that
happen to two domains I've been >> involved with (my own domain and one
of my employer's domains), and it >> looks a lot like a DDoS from the
victim's point of view, but isn't >> really one in the usual sense of
the term. > > That. One of my domains (babcom.com) is no longer usable
for email > because of the volume of spam; it has been redirected into a
spamcop.net > honeypot for about five years now. I talked to Ellen at
SpamCop a > couple weeks ago, and she told me the *baseline* spam rate
on that > domain is now about 300,000 deliveries per week, and when some
spammer > uses babcom.com as the forged source for a large spam run,
they've > occasionally had to shut off the feed from the domain because
the sheer > volume has brought SpamCop's mail servers to their knees.

I got the impression that this was not a blowback from spam for a few reasons.
The big clue in my mind is that there was no sender in the connections.  They
were showing up in my /var/log/syslog file as:

  Nov 24 18:39:05 sauron postfix/smtpd[707]: [ID 197553 mail.info] NOQUEUE:
reject
  : RCPT from skywalker.mytoys.com[217.111.80.4]: 550 5.1.1
<ray at siliconsec.com>:
  Recipient address rejected: User unknown in virtual mailbox table; from=<>
  to=<ray at siliconsec.com> proto=SMTP helo=<order.mytoys.de>

that's just one example...but in no case was there a sender address in the
from= field in the e-mail.  Usually for responses to non-existent individuals
who receive spam the message sender in the response is usually "postmaster" or
something equivalent from the domain.

The hosts "attacking" did not appear to include mailers for Yahoo or AOL but
rather a whole slew of smaller systems -- approximately 14,500 of them (from
the small sample that I analyzed) -- lots of what appear to be client
endpoints -- not even MTAs -- some MS Exchange boxes and even one box from
Google's network which is not an MX:

Nov 25 09:40:19 sauron postfix/smtpd[21410]: [ID 197553 mail.info] NOQUEUE:
reje
ct: RCPT from py-out-1314.google.com[64.233.166.168]: 554 5.7.1
<mike at siliconsec.com>: Relay access denied; from=<> to=<mike at siliconsec.com>
proto=SMTP helo=<py-out-1314.google.com>

Another example would be something like:

Nov 24 18:39:07 sauron postfix/smtpd[693]: [ID 197553 mail.info] NOQUEUE:
reject: RCPT from CPE-76-178-124-43.natsow.res.rr.com[76.178.124.43]: 450
4.7.1 <goins-mail1.goins.local>: Helo command rejected: Host not found;
from=<> to=<asanders at siliconsec.com> proto=SMTP
helo=<goins-mail1.goins.local>

Notice the address: CPE-76-178-124-74.natsow.res.rr.com.  That's a RoadRunner
cable domain and it's residential.  Last I recall, RoadRunner does not allow
you to run a mail server from their residential service networks and actually
blocks inbound SMTP to the res.rr.com domain.  Doesn't mean you can't run a
mail server on that domain but typical inbound mail is blocked and you can
still spam outbound from there.

I realize that this is not conclusive evidence and that it could go either way
but my gut feeling is that this was more of a DoS than a blowback.  On top of
that I changed the MX record for that domain to an IP address that I am not
using (to try and blackhole the traffic) and it didn't do a thing...even after
12 hours of change to the DNS (yes, I realize it could take 24 hours or more
for DNS to propagate across the Internet completely) but I should have started
to see some entries in my firewall log indicating that some of the connections
were going to the dead IP address...nothing.  That seems to indicate that
whatever this was was targeting the IP address.  Bounced spam would have seen
the change in the MX record and should have started being sent to the
blackholed IP address.   I have moved the mail server to a new address and it
seemed for a short while that it was following me there a bit (I'm still
seeing occasional entries of the type I show above).  Perhaps I'm
mis-interpreting the evidence.  I'd appreciate others opinions as well.

Thanks,
Ido

--
=============================================================================
==
Ido Dubrawsky, CISSP
Network Security Architect
dubrawsky.org
=============================================================================
==




---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 071127-0, 11/27/2007
Tested on: 11/27/2007 8:48:22 AM
avast! - copyright (c) 1988-2007 ALWIL Software.
http://www.avast.com




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the geeks mailing list