Am 2007-09-28 22:10:01, schrieb Jeff Jansen:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michelle Konzack wrote:
In theorie... -- but they hit me periodicaly with over 200 per second.
You're seeing 200 hits a second! From the same ip addresses or
different ones all the time?
Today morning I was hit at ~08:00 CET arround 17 minutes from
86 different IP's and each IP had 30-80 hits per second.
Which make in summary over 4.100.000 hits.
My logfiles explode!!! 8 GByte in less then 17 minutes.
200 per second was the highest score for ON IP.
The question is, WHICH server is this? A hijacked/owned PC
on a ADSL or cable modem can not produce such traffic.
I have only a Dual STM-1 (311 MBit) but the Server is a Sun BLade
with 32 CPU's and 128 GByte of memory
Since no single ip address should be hitting your server that often, you
could rate limit incoming connections to your port 25 with iptables:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW \
-m recent --set
iptables -A INPUT -p tcp --dport 25 -m state --state NEW \
-m recent --update --seconds 60 --hitcount 10 -j DROP
If it sees more than '--hitcount' new connections in '--seconds' number
of seconds, it will start dropping connections, until there are less
than '--hitcount' new connections in '--seconds' number of seconds.
This doesn't know whether connections are authenticated or not,
obviously. It just keeps track of how often new connections come in
from individual ip addresses and drops any that are over the limit.
And this is my problem.
Now imagine the server support 17000 users and the switch
on there computers between 08:00 and 09:00...
iptables dos unfortunatly not work for such scenario.
9 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Same problem with...
