Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - DoS Attack on our Server
  FAQ FAQ  Forum Search   Register Register  Login Login

DoS Attack on our Server

 Post Reply Post Reply
Author
johndpatriot1 View Drop Down
Newbie
Newbie


Joined: 03 November 2006
Location: Canada
Status: Offline
Points: 18
Post Options Post Options   Thanks (0) Thanks(0)   Quote johndpatriot1 Quote  Post ReplyReply Direct Link To This Post Topic: DoS Attack on our Server
    Posted: 10 May 2010 at 9:45am
Ove teh past 7 days we have been bombarded with some sort of Denial of Service attack comign on out SMTP port.  The Spam Filter is running at 100% utilization.  Our daily logs have grown from 6k per day to 57K.
 
The server is so busy handling these requests that legitimate emails are not getting through.
 
Here is a samplke from out logs
 
05/09/10 23:59:59:101 -- (7144) Connection from: 62.57.61.107  -  Originating country : Spain
05/09/10 23:59:59:101 -- (7144) IP is in local blacklist cache. Disconnecting: 62.57.61.107
05/09/10 23:59:59:163 -- (7144) No Data Received
05/09/10 23:59:59:163 -- (7144) Disconnect
05/10/10 00:00:00:163 -- (2904) Connection from: 62.57.61.107  -  Originating country : Spain
05/10/10 00:00:00:163 -- (2904) IP is in local blacklist cache. Disconnecting: 62.57.61.107
05/10/10 00:00:00:226 -- (2904) No Data Received
05/10/10 00:00:00:226 -- (2904) Disconnect
05/10/10 00:00:08:304 -- (5128) Connection from: 112.158.247.64  -  Originating country : N/A
05/10/10 00:00:08:304 -- (5128) IP is in local blacklist cache. Disconnecting: 112.158.247.64
05/10/10 00:00:08:366 -- (5128) No Data Received
05/10/10 00:00:08:366 -- (5128) Disconnect
05/10/10 00:00:08:694 -- (6140) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:08:694 -- (6140) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:08:757 -- (6140) No Data Received
05/10/10 00:00:08:757 -- (6140) Disconnect
05/10/10 00:00:09:085 -- (9400) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:085 -- (9400) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:148 -- (9400) No Data Received
05/10/10 00:00:09:148 -- (9400) Disconnect
05/10/10 00:00:09:273 -- (7216) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:273 -- (7216) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:335 -- (7216) No Data Received
05/10/10 00:00:09:335 -- (7216) Disconnect
05/10/10 00:00:09:476 -- (8264) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:491 -- (8264) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:554 -- (8264) No Data Received
05/10/10 00:00:09:554 -- (8264) Disconnect
05/10/10 00:00:09:663 -- (4236) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:663 -- (4236) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:726 -- (4236) No Data Received
05/10/10 00:00:09:726 -- (4236) Disconnect
05/10/10 00:00:11:085 -- (3696) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:085 -- (3696) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:148 -- (3696) No Data Received
05/10/10 00:00:11:148 -- (3696) Disconnect
05/10/10 00:00:11:523 -- (4472) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:523 -- (4472) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:585 -- (4472) No Data Received
05/10/10 00:00:11:585 -- (4472) Disconnect
05/10/10 00:00:11:819 -- (8424) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:819 -- (8424) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:882 -- (8424) No Data Received
05/10/10 00:00:11:882 -- (8424) Disconnect
 
Is there aything we can do to reduce the amount of traffic coming through
 
We are currently on Version 4.0.1.786
 
I am hoping to upgrade to the current vertsion today.  Perhaps this will fix the issue
 
 
 
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 272
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 10 May 2010 at 8:47pm
Hi John,

Did you remove a bunch of lines from the log or anything?  You have included about 11 seconds worth of logs, if that is all the traffic your server saw in 11 seconds then the problem must be something else and not the volume of traffic hitting the server.

Obviously it depends on the hardware, but spamfilter can process hundreds of connections at the same time, during 11 seconds a server could see hundreds or thousdands of connections without an issue.

I assume you are looking at the Windows performance monitor, and see spamfilter using all the CPU?  Is the machine single or multiple cores?  Which operating system?

If you have not already, you might also want to turn on grey listing which will help reduce the amount of time a remote server is connected to your server.


Edited by yapadu - 10 May 2010 at 9:55pm
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 May 2010 at 10:50pm
johndpatriot1,

As yapadu correctly stated, the number of connections you indicated is actually below average. With a daily logfile size of 60K, you are probably processing only about 70,000-90,000 connections per day. SpamFilter can easily handle millions per day, depending on the server's hardware.

The high CPU usage could caused by a large/corrupt Bayesian database (in use by the Bayesian statistical filter). If you do use the bayesian filter, could you please check the size of the files db.dat and db.dat.prb in the \SpamFilter\Corpus directory? If they are in the order of 100MB in size or more, this will could be a potential issue.
 
SpamFilter routinely cleans up this database to remove older/stale entries from it. If the database has grown too much in size, you can try to stop SpamFilter, delete (or rename) the SpamFilter/corpus directory, and then restart SpamFilter. That should reset the corpus database for the bayesian filter and allow it to learn about new incoming emails from scratch.

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
johndpatriot1 View Drop Down
Newbie
Newbie


Joined: 03 November 2006
Location: Canada
Status: Offline
Points: 18
Post Options Post Options   Thanks (0) Thanks(0)   Quote johndpatriot1 Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2010 at 8:50am
I am guessing that it has to do with the Max concurrent incoming smtp connections.  Ours is currently configured for 10.  But what you guys are saying that is really low.  out server has runnning flawlessly at 10 for 3 years,  maybe its time to increase that number.  What number makes sense to set this too?
 
John,
 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2010 at 4:25pm
The answer depends on your hardware, but since you appear to be receiving about the same amount of emails we ourselves receive at logsat.com (our own average logfiles range from 60KB to 80KB), as an example let me provide you with our stats.
On average our SpamFilter server has between 3-8 concurrent connections, even though when under "attack" by spambots we see that number increas to 30-40 concurrent connections. These spambots can hit us several times per day, and the "beating" will last several minutes. Our "Max concurrent incoming SMTP connections" is set to 150, while our "Max concurrent SMTP connections from same IP" is set to 20.

Our server has a single quad-core 2GHz CPU with 4GB RAM, and its CPU is usually only between 3%-15%. As a side-note, the server does many other things besides running SpamFilter :-)

As a side-note, we updated this server 3 years ago. Before we (purposely) had our live SpamFilter installed on very low end server with a 400MHz Pentium and only 384MB of RAM. Under those conditions SpamFilter used on average 20% CPU. The amount traffic 3 years ago was about 20% lower than it is today.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
johndpatriot1 View Drop Down
Newbie
Newbie


Joined: 03 November 2006
Location: Canada
Status: Offline
Points: 18
Post Options Post Options   Thanks (0) Thanks(0)   Quote johndpatriot1 Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2010 at 4:41pm
We are running on a Celeron 2.93 Ghz machien with Windows XP and 512mb Ram
 
Our normal concurrent conections is 0 -1 so when I see 80 + at a time it scares me.  I have configured it to allow up to 500 concurrent connections and it is actually running better (not sure why but then I guess who cares if it works)  Thanks for you advive
 
John,
 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 11 May 2010 at 4:58pm
John,

500 may be a bit too excessive, I'd suggest bringing it back down to 100-200. The bursts of spambots don't usually last a long time, and temporarily rejecting connections when they exceed by a factor of 100 your average load (from 1-2 connections to 100-200 max) is "normal" behavior from admins.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.