Print Page | Close Window

DoS Attack on our Server

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6833
Printed Date: 23 November 2017 at 4:53pm


Topic: DoS Attack on our Server
Posted By: johndpatriot1
Subject: DoS Attack on our Server
Date Posted: 10 May 2010 at 9:45am
Ove teh past 7 days we have been bombarded with some sort of Denial of Service attack comign on out SMTP port.  The Spam Filter is running at 100% utilization.  Our daily logs have grown from 6k per day to 57K.
 
The server is so busy handling these requests that legitimate emails are not getting through.
 
Here is a samplke from out logs
 
05/09/10 23:59:59:101 -- (7144) Connection from: 62.57.61.107  -  Originating country : Spain
05/09/10 23:59:59:101 -- (7144) IP is in local blacklist cache. Disconnecting: 62.57.61.107
05/09/10 23:59:59:163 -- (7144) No Data Received
05/09/10 23:59:59:163 -- (7144) Disconnect
05/10/10 00:00:00:163 -- (2904) Connection from: 62.57.61.107  -  Originating country : Spain
05/10/10 00:00:00:163 -- (2904) IP is in local blacklist cache. Disconnecting: 62.57.61.107
05/10/10 00:00:00:226 -- (2904) No Data Received
05/10/10 00:00:00:226 -- (2904) Disconnect
05/10/10 00:00:08:304 -- (5128) Connection from: 112.158.247.64  -  Originating country : N/A
05/10/10 00:00:08:304 -- (5128) IP is in local blacklist cache. Disconnecting: 112.158.247.64
05/10/10 00:00:08:366 -- (5128) No Data Received
05/10/10 00:00:08:366 -- (5128) Disconnect
05/10/10 00:00:08:694 -- (6140) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:08:694 -- (6140) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:08:757 -- (6140) No Data Received
05/10/10 00:00:08:757 -- (6140) Disconnect
05/10/10 00:00:09:085 -- (9400) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:085 -- (9400) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:148 -- (9400) No Data Received
05/10/10 00:00:09:148 -- (9400) Disconnect
05/10/10 00:00:09:273 -- (7216) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:273 -- (7216) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:335 -- (7216) No Data Received
05/10/10 00:00:09:335 -- (7216) Disconnect
05/10/10 00:00:09:476 -- (8264) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:491 -- (8264) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:554 -- (8264) No Data Received
05/10/10 00:00:09:554 -- (8264) Disconnect
05/10/10 00:00:09:663 -- (4236) Connection from: 189.32.80.130  -  Originating country : Brazil
05/10/10 00:00:09:663 -- (4236) IP is in local blacklist cache. Disconnecting: 189.32.80.130
05/10/10 00:00:09:726 -- (4236) No Data Received
05/10/10 00:00:09:726 -- (4236) Disconnect
05/10/10 00:00:11:085 -- (3696) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:085 -- (3696) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:148 -- (3696) No Data Received
05/10/10 00:00:11:148 -- (3696) Disconnect
05/10/10 00:00:11:523 -- (4472) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:523 -- (4472) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:585 -- (4472) No Data Received
05/10/10 00:00:11:585 -- (4472) Disconnect
05/10/10 00:00:11:819 -- (8424) Connection from: 72.27.7.111  -  Originating country : Jamaica
05/10/10 00:00:11:819 -- (8424) IP is in local blacklist cache. Disconnecting: 72.27.7.111
05/10/10 00:00:11:882 -- (8424) No Data Received
05/10/10 00:00:11:882 -- (8424) Disconnect
 
Is there aything we can do to reduce the amount of traffic coming through
 
We are currently on Version 4.0.1.786
 
I am hoping to upgrade to the current vertsion today.  Perhaps this will fix the issue
 
 
 



Replies:
Posted By: yapadu
Date Posted: 10 May 2010 at 8:47pm
Hi John,

Did you remove a bunch of lines from the log or anything?  You have included about 11 seconds worth of logs, if that is all the traffic your server saw in 11 seconds then the problem must be something else and not the volume of traffic hitting the server.

Obviously it depends on the hardware, but spamfilter can process hundreds of connections at the same time, during 11 seconds a server could see hundreds or thousdands of connections without an issue.

I assume you are looking at the Windows performance monitor, and see spamfilter using all the CPU?  Is the machine single or multiple cores?  Which operating system?

If you have not already, you might also want to turn on grey listing which will help reduce the amount of time a remote server is connected to your server.


-------------
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.


Posted By: LogSat
Date Posted: 10 May 2010 at 10:50pm
johndpatriot1,

As yapadu correctly stated, the number of connections you indicated is actually below average. With a daily logfile size of 60K, you are probably processing only about 70,000-90,000 connections per day. SpamFilter can easily handle millions per day, depending on the server's hardware.

The high CPU usage could caused by a large/corrupt Bayesian database (in use by the Bayesian statistical filter). If you do use the bayesian filter, could you please check the size of the files db.dat and db.dat.prb in the \SpamFilter\Corpus directory? If they are in the order of 100MB in size or more, this will could be a potential issue.
 
SpamFilter routinely cleans up this database to remove older/stale entries from it. If the database has grown too much in size, you can try to stop SpamFilter, delete (or rename) the SpamFilter/corpus directory, and then restart SpamFilter. That should reset the corpus database for the bayesian filter and allow it to learn about new incoming emails from scratch.



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: johndpatriot1
Date Posted: 11 May 2010 at 8:50am
I am guessing that it has to do with the Max concurrent incoming smtp connections.  Ours is currently configured for 10.  But what you guys are saying that is really low.  out server has runnning flawlessly at 10 for 3 years,  maybe its time to increase that number.  What number makes sense to set this too?
 
John,
 


Posted By: LogSat
Date Posted: 11 May 2010 at 4:25pm
The answer depends on your hardware, but since you appear to be receiving about the same amount of emails we ourselves receive at logsat.com (our own average logfiles range from 60KB to 80KB), as an example let me provide you with our stats.
On average our SpamFilter server has between 3-8 concurrent connections, even though when under "attack" by spambots we see that number increas to 30-40 concurrent connections. These spambots can hit us several times per day, and the "beating" will last several minutes. Our "Max concurrent incoming SMTP connections" is set to 150, while our "Max concurrent SMTP connections from same IP" is set to 20.

Our server has a single quad-core 2GHz CPU with 4GB RAM, and its CPU is usually only between 3%-15%. As a side-note, the server does many other things besides running SpamFilter :-)

As a side-note, we updated this server 3 years ago. Before we (purposely) had our live SpamFilter installed on very low end server with a 400MHz Pentium and only 384MB of RAM. Under those conditions SpamFilter used on average 20% CPU. The amount traffic 3 years ago was about 20% lower than it is today.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: johndpatriot1
Date Posted: 11 May 2010 at 4:41pm
We are running on a Celeron 2.93 Ghz machien with Windows XP and 512mb Ram
 
Our normal concurrent conections is 0 -1 so when I see 80 + at a time it scares me.  I have configured it to allow up to 500 concurrent connections and it is actually running better (not sure why but then I guess who cares if it works)  Thanks for you advive
 
John,
 


Posted By: LogSat
Date Posted: 11 May 2010 at 4:58pm
John,

500 may be a bit too excessive, I'd suggest bringing it back down to 100-200. The bursts of spambots don't usually last a long time, and temporarily rejecting connections when they exceed by a factor of 100 your average load (from 1-2 connections to 100-200 max) is "normal" behavior from admins.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window