Download and Read the PDF file here:
http://www.wakeupyouidiots.com/How_To_Stop_SMTP_DDOS_Attacks.pdf

Then get the package here:
http://www.wakeupyouidiots.com/Logs2List.zip

It is comprehensive, and provides information on
how to stop these attacks. You do need control
of the server (admin access), but it works and
it works well. We must STOP these criminals.

PLEASE disseminate the PDF and the ZIP (listed
in the PDF) as widely as possible. Pardon the Domain
name, but I assume that I will be attacked before
long and need a "disposable" domain, so get it now!!

Thanks,
Mr. Blibit42

Also, I'd like to hear of any success stories, and I am willing to help with advice and more ideas.

And I apologize to the hosting Company of the domain I used. It will disappear shortly, anyway. Get it while its HOT and post it everywhere you can get it exposure. If it worked for me, it can work for others.

Cheers,
Mr. Blibit42

When you get up to 2,000 or 3,000 banned IPs, at what stage does the IP DENY list performance degrade the operation of the system? Is there a point at which the DENY list becomes so large that the system can not handle it?

I am wondering whether you can kep the list in place after a DDoS attack ends, without any significant impact.

Neat read, nifty tool and a nice idea (if it works).

A co-worker of mine was recently talking about something like this in fear of getting attacked himself, in the near future.


As far as the reading, I noticed it recommends PeerGuardian2. I will say, I've used PeerGuardian2 and it does drop the packets fine. Even blocking 95% of the internet IP address ranges, it blocks the connections "quick".

As far as Moblock, I've not tried that, since I don't have *NIX access....but I think development has been done closely with that of Peerguardian, so it may work the same way.

We reached 43000 blocked addresses on a Windows 2000 server box with a Pentium D930 and 2GB of RAM, and it blocked them all and didn't even slow the server down at all!! I did have to buy a new Ethernet switch that I use between the ISP and my servers - they had it all clogged up (had to reset it every hour or so) and it was pretty old. But I got a good one for 195 dollars (about all I could afford right then).

It literally saved my business. I lost one customer before I got it finished and working, but they were leaving us anyway for Exchange services with someone else. Our server has about 20 domains and about 150 users and we were blocking 43000 addresses, updated DAILY from the logs. It really works for the LONG SLOW session attacks that the other methods will not stop (like blocking over X connections per minute). I had to do something. It was all or nothing. I was expecting a "SEND ME MONEY AND I'LL STOP" message any day. I am going to update it to also look for TOO MANY HTTP connections per minute in in HTTP logs. I don't "like" these people and we must beat them with technology. I will post the new one when it is done.

Cheers,
Mr. Blibit42

As far as:
"I am wondering whether you can keep the list in place after a DDoS attack ends, without any significant impact."

At one point I was blocking 4 days of 100 MB per day logs and I had them in for a week. As long as you are sure that you are not accidentally blocking one of your own Mail users, I can't see any reason why it could hurt. It will certainly partially slow down a second "sneak" attack - And, you can bet I have saved my OLD Original lists with the old Bot Army addresses. But as we all know, the Bots do change IPs over time due to what I call the "Homer Simpson Effect" (HSE).

I now update it every morning, and I am sure that the original blocked addresses have all filtered out of it, but now, since I am blocking everything that goes into my email server intrusion detection (which is now set to 3 or more "no such users" per IP) I have cut my SPAM by about 30% - I think it is because PGLite is blocking for 24 hours (or more) and my Intrusion detection is only doing 12 hours - but I would have to do some studying to be sure that is why. I just have to make very sure I don't block one of my users who ended up in the 12 hour block for BAD typing of user names - that could be ME as bad as my typing is...! <grin> (but then again, my IP is in the NeverBlock.txt ;0>)

Cheers,
Mr Blibit42

That's about the only concern I could see, particularly for large scale sites/domains...i.e.: something like CastleCops

The amount of users here....a range of innocents would end up in the filter sooner or later....hell, in the earlier DoS attack this year, my BellSouth static IP landed in Paul's blocklist so I couldn't connect for a couple days due to it.

A possible work-around would be to grab the IPs of "frequent customers" (or "regulars" lol) - and add them to the AlwaysAllow....but if they are on dynamic addresses, those addresses could be used maliciously in due time...


So, how far are you willing to code all the IFs, ANDs, and ORs? ^^ lol. only joking - more of just "food for thought" for users who choose to go this route There will always be pros and cons to nearly every system, but hey, this is free.

This is great stuff.

I haven't admin'd a server at this level (yet) but it's definitely on my list of things to learn. Thanks for providing this resource.

SiL