This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PushDo Attack: Does anyone know how to DROP all incoming SMTP traffic from a specific IP address?

I'm being attacked by the PushDo spamming botnet (see serverfault.com/.../email-server-attack-from-telnet), identified by the following lines which repeat in my SMTP log:

2016:02:02-16:00:56 fw exim-in[5767]: 2016-02-02 16:00:56 SMTP connection from [104.40.23.216]:49657 (TCP/IP connection count = 2)
2016:02:02-16:00:57 fw exim-in[12914]: 2016-02-02 16:00:57 SMTP connection from (ylmf-pc) [104.40.23.216]:49657 lost

I've tried to manually drop this traffic, by setting up a firewall rule for 104.40.23.216 to my external address, service=SMTP to "drop".  This doesn't seem to work, as (I believe) the SMTP proxy receives the traffic before the firewall rule can drop it.

Does anyone know how to DROP all incoming SMTP traffic from a specific IP address?



This thread was automatically locked due to age.
Parents Reply Children
  • No offense to Sophos, but I wouldn't dream of using UTM as my DHCP server.
  • Hi Scott, I was going to suggest DNAT when I first saw this post but after thinking about it, I don't see any need to DNAT . The only difference is that the offending IP will show up in your firewall log instead of SMTP log.

    Here is my reasoning... The MTA will close the connection automatically after receiving bogus telnet commands. Since the MTA is only doing mail transactions and the backend server is taking care of the actual users, it will take a large enough attack to bog down the MTA.

    On the other hand when we DNAT traffic to a non existing IP address (blackhole), you are creating unnecessary conntrack entries. Since the firewall doesn't know that the blackhole IP doesn't exist, those entries would keep on increasing till the conntrack times out.

    Besides (ylmf-pc) is not a fqdn so the IP in OPs post would change frequently and soon enough he will have many DNAT entries creating many opened connections waiting to timeout.

    I am just thinking out loud the pros and cons of dnatting such traffic. Your thoughts?
    Regards
  • Here's my thought, and I'm no expert:

    My real problem is that blocking the source IP address didn't yield any blocking (because the SMTP proxy handling happens before the blocking). This is worked around by DNAT -- essentially, instead of UTM seeing "here's incoming SMTP, send it to the SMTP proxy, and skip the firewall checks", it's told "here's an incoming connection, change the destination, process the firewall checks ... and oh, DROP."

    I think the DNAT solution yields lower load; rewriting the destination and then dropping the connection is easier on the UTM device than actually attempting to do SMTP interactions. Furthermore, a drop without communication is likely to send the attacker off elsewhere sooner too.
  • Glad things are working out for you [;)] You dont' need a firewall rule to drop dnatted traffic as the default rule will drop the traffic anyway. (I had forgotten about the default DENY without explicitly allowing traffic)

    However under heavy loads, I wonder if limiting traffic by IP and further limiting mails per connection would yield better results than trying to find offending IPs specially if they change frequently and generate a large number of connection attempts.