|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sebastien Berube (sberube
ZEROKNOWLEDGE.COM)Date: Fri Mar 30 2001 - 13:04:55 CST
I would just like to inform everybody our organisation just went under a
heavy smtp DoS. The symptoms where thousands of connections established
from at first the same source to the smtp port of one of our MX. Once
we've started blocking this particular IP address, the connections started
comming from a different address. And so on for about 3 hours. I had to
write a quick and dirty connection tracker to determine if each source IP
had more than 15 connections. If it did, I'd block them.
What we where able to deterimne is that every host that was used to DoS us
where Windows based machines. All of these hosts where running IIS4 or
IIS5. We also where able to notice that the hosts used for the attack
where being used in alphabetical order of their domain name as we blocked
them.
Regards.
-- Sebastien Berube Unix Systems Administrator sberube
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]