Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 35419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PushDo Attack: Does anyone know how to DROP all incoming SMTP traffic from a specific IP address?

adamgoldberg

I'm being attacked by the PushDo spamming botnet (see serverfault.com/.../email-server-attack-from-telnet), identified by the following lines which repeat in my SMTP log:

2016:02:02-16:00:56 fw exim-in[5767]: 2016-02-02 16:00:56 SMTP connection from [104.40.23.216]:49657 (TCP/IP connection count = 2)
2016:02:02-16:00:57 fw exim-in[12914]: 2016-02-02 16:00:57 SMTP connection from (ylmf-pc) [104.40.23.216]:49657 lost

I've tried to manually drop this traffic, by setting up a firewall rule for 104.40.23.216 to my external address, service=SMTP to "drop".  This doesn't seem to work, as (I believe) the SMTP proxy receives the traffic before the firewall rule can drop it.

Does anyone know how to DROP all incoming SMTP traffic from a specific IP address?



This thread was automatically locked due to age.
Parents
  • 0
    Just as an FYI, if you're using the UTM for DHCP, it doesn't do true reservations. Static-IPs need to be outside the scope offered by the UTM DHCP server instance. As an example, if the scope is currently 192.168.0.2-192.168.0.254, change it to 192.168.0.2-192.168.0.253 and use .254 as the blackhole. :)
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Hi Scott, I was going to suggest DNAT when I first saw this post but after thinking about it, I don't see any need to DNAT . The only difference is that the offending IP will show up in your firewall log instead of SMTP log.

    Here is my reasoning... The MTA will close the connection automatically after receiving bogus telnet commands. Since the MTA is only doing mail transactions and the backend server is taking care of the actual users, it will take a large enough attack to bog down the MTA.

    On the other hand when we DNAT traffic to a non existing IP address (blackhole), you are creating unnecessary conntrack entries. Since the firewall doesn't know that the blackhole IP doesn't exist, those entries would keep on increasing till the conntrack times out.

    Besides (ylmf-pc) is not a fqdn so the IP in OPs post would change frequently and soon enough he will have many DNAT entries creating many opened connections waiting to timeout.

    I am just thinking out loud the pros and cons of dnatting such traffic. Your thoughts?
    Regards
  • 0 in reply to Billybob
    Here's my thought, and I'm no expert:

    My real problem is that blocking the source IP address didn't yield any blocking (because the SMTP proxy handling happens before the blocking). This is worked around by DNAT -- essentially, instead of UTM seeing "here's incoming SMTP, send it to the SMTP proxy, and skip the firewall checks", it's told "here's an incoming connection, change the destination, process the firewall checks ... and oh, DROP."

    I think the DNAT solution yields lower load; rewriting the destination and then dropping the connection is easier on the UTM device than actually attempting to do SMTP interactions. Furthermore, a drop without communication is likely to send the attacker off elsewhere sooner too.
  • 0 in reply to adamgoldberg
    Glad things are working out for you [;)] You dont' need a firewall rule to drop dnatted traffic as the default rule will drop the traffic anyway. (I had forgotten about the default DENY without explicitly allowing traffic)

    However under heavy loads, I wonder if limiting traffic by IP and further limiting mails per connection would yield better results than trying to find offending IPs specially if they change frequently and generate a large number of connection attempts.
Reply
  • 0 in reply to adamgoldberg
    Glad things are working out for you [;)] You dont' need a firewall rule to drop dnatted traffic as the default rule will drop the traffic anyway. (I had forgotten about the default DENY without explicitly allowing traffic)

    However under heavy loads, I wonder if limiting traffic by IP and further limiting mails per connection would yield better results than trying to find offending IPs specially if they change frequently and generate a large number of connection attempts.
Children
No Data
Unfiltered HTML