bsd.b3ta.org
Yet another *nix admin blog

Our (xwings and I) poor, _soon_to_be_removed_ webserver box at Brickfields netmyne datacentre was under DDOS attacked this morning around 11:30am MYT. The box with 512MB of RAM running FreeBSD survived the attack. However, system resources were running extremely low. More than 100 instances of httpd were running! The system was extremely busy and lag. It barely responded to my ssh connection request.

My pf rule’s stateful tracking limit seemed to be too lenient and not suitable for the box with low system resource.

pass in quick on $netif inet proto tcp from any to ($netif) port {80, 443}
   \ keep state(source-track, max-src-states 100, max-src-nodes 999}

I have decided to head on to more aggressive approach, with use of pf max-src-conn-rate, table and filtering.

table  persist
block in quick on $netif from 
pass in quick on $netif inet proto tcp from any to ($netif) port {80, 443}
   \ keep state(max-src-conn 100, max-src-rate 15/5, overload  flush}

After stopping all httpd instances, I loaded new pf rule. pfctl -f /etc/pf.conf. It worked nicely. table was full of sons/daughters of bitch’s IP addresses.

pfctl -t dos -T show
221.194.136.38
220.181.19.176
72.232.190.82
61.135.162.18
202.190.250.2
64.26.63.19


Happy and back to sleep again. Grow up, kids! Shame on you. You couldn’t even kill a poor little box with 512MB of RAM! But thanks anyway for helping me to test area where I overlooked.

White Papers for Success
Decisions related to web hosting should be taken after going through the current web hosting review. Having an old record of past webhosting review magazines might help a bit. For services like ix web hosting and powweb however, one does not need to go through reviews.

Another way of fighting images spam is by Realtime Black List lookup. This tactic is probably one of method which is inexpensive to server resource.

With postfix, you could just add reject_rbl_client images.rbl.msrbl.net to smtpd_client_restrictions section of postfix’s main.cf.

For instance:

smtpd_client_restrictions = permit_mynetworks,
    reject_rbl_client images.rbl.msrbl.net,
    ….

For qmail, you could just add -r images.rbl.msrbl.net as tcpserver option of your qmail smtp startup script.

Note : images.rbl.msrbl.net - Hosts found sending mail contaning spam images. Check out MSRBL for more info.

On my previous post, I have discussed some of the anti image/PDF spam. I have tried clamav with Sanesecurity’s phishing and scam signatures.

On FreeBSD, I downloaded update shell script by Dan Larsson and made a slight modification as I do not wish to install/use rsync on production servers just to download signature files. I have added these two lines to update shell script under “http_source_urls” and commented out “rsync_source_urls“.

http://download.mirror.msrbl.com/MSRBL-Images.hdb

http://download.mirror.msrbl.com/MSRBL-SPAM.ndb

http_source_urls="
   http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz
   http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz
   http://clamav.securiteinfo.com/vx.hdb.gz
   http://download.mirror.msrbl.com/MSRBL-SPAM.ndb
   http://download.mirror.msrbl.com/MSRBL-Images.hdb
   http://www.malware.com.br/cgi/submit?action=list_clamav,fetch_interval=86400,target_file=mbl.db

"#rsync_source_urls="
#   rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
#   rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb
#"

(more…)

A lot of spam image/PDFs were slipping through my office MXs since this spamming technique has gained its popularity and it was getting really out of hands. I have decided to put an end to this madness and experimented various tactics to curb image/PDF spam. Generally, this can be achieved with spam scoring from SpamAssassin or clamav via Sanesecurity’s Phishing and Scam Signatures for ClamAV.

On this post, I will share some of the tactics that I have tried with SpamAssassin. With SpamAssassin, fighting image/PDF spam was trivial.

(more…)