On 1/27/06, Barry Shein <bzs@world.std.com> wrote:
Besides the obvious SMTP traffic this also generates a lot of DNS traffic. At this point the DNS traffic seems to be more of a nuisance probably because so many target hosts are retrying. At one point we were doing around 10K pkts/second in DNS traffic, very unusual.
This has been going on for about a week.
At least some broken resolvers will keep re-querying you so see if you cant throttle or rate limit dns queries from problem IPs for a while. That, and increase TTLs a bit. As for the smtp - * Dont accept email for catchall aliases - try to reject all you can at the gateway * Bounces and backscatter - RFC violation or not, accepting bounces takes a backseat to keeping your mail system up and running. TEMPORARILY turn off accepting mail from:<>, especially if you're seeing far, far more bounce traffic to nonexistent addresses on your site than valid bounces. Long term - see if you can't use http://www.mipassoc.org/batv/ especially if all your users send email through your smtp server from outside (say using AUTH) or ssh in and use pine / elm or whatever on your shell servers.
So where does one start. It seems a mother ship needs to be shut down somewhere, etc. Obviously ID'ing a miscreant would be a nice result.
You sure its just one botnet hitting you? Shutting off a mothership often means that the zombies become even more zombied and keep pounding on your server long after the mothership is dead. --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)