On 1/26/06, Barry Shein <bzs@world.std.com> wrote:
What I presume is a zombie army sending out gazillions of emails to thousands of hosts out there (not ours) with a randomly generated (usually) return/source address @ our domain(s). The target addresses are usually also unknown so it just bounces back at us.
Some sort of a user check should mitigate most of this.. ie, drop at the smtp level, don't bounce.
Besides the obvious SMTP traffic this also generates a lot of DNS traffic. At this point the DNS traffic seems to be more of a nuisance probably because so many target hosts are retrying. At one point we were doing around 10K pkts/second in DNS traffic, very unusual.
10K/s is a lot.. I would expect a lot less.. Presumably the source of the DNS requests would be another DNS server who should be caching the result. Try increasing the TTL for the "offending" records... I see it's at 24 hours at the moment though. Can you do some sniffing to determine the source of the lookups? Perhaps a broken dns server or two out there?
P.S. If you think "get a firewall": The problem traffic is coming from legitimate hosts in the form of DNS+SMTP, not the bots (not to us anyhow.) So not so simple, what's the filter?
Throttle on the gateway? Specifically, throttle DNS traffic to start if that's doing the most damage, and then throttle smtp if necessary.. Depend on the remote retry to handle any timeouts..
-- -Barry Shein
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com