Quoting Steve <steve.h...@digitalcertainty.co.uk>:
On Fri, 2009-05-22 at 18:06 +1000, Barney Desmond wrote:
2009/5/22 Ralf Hildebrandt <ralf.hildebra...@charite.de>:
>> 2. Rate/Anti DNS control
>> a. If IP X is seen more than 50 times in 30 minutes block it.
>
> Postfix can do that using anvil
I'd just like to add to that; the answer here on the list is almost
always, "ANVIL IS NOT FOR DOING THAT" (whatever you think you can use
it for).
Which kind of begs the question what is it for ? :-)
The appliance I took apart had a nice rate control feature. The crux of
it was the ability to set connection limit on a per IP basis in 30
minutes. You could *NOT* change this time window, but could change the
limit thus;
50 connections in 30 minutes, 60 connections in 30 minutes ... 200
connections in 30 minutes etc.
What it would do is something like this:
Connection 51 come in, it defers with a 45x error (temp) and starts a
new timer. If that IP presents another '50' connections in the new
window of 30 minutes - say connections 51-101 - they will also be given
45x errors. If connection 102 falls inside this period it then starts
giving 55x errors to that IP. It will reset when it sees nothing from
that IP in 30 minutes.
It's very useful - but I suspect there is a better way to do this with
iptables. It's a UCE/Protection feature at the end of the day - not an
MTA feature.
This could also be done using a policy service without much effort.
