Am 24.04.2014 20:40, schrieb Ray Hunter: > The parameters would be: > single attacker with access to a few /64's or /48's of address space. > Not trying to fend off a distributed million-node botnet. > mail server with 100Mbps full-duplex Internet connection = 50000 > sessions per second approx (100000 packets per second with SYN, SYN-ACK, > ACK three way handshake) > storage time of approx 30-60 seconds.
Hi, this is complex stuff, i only can share about fighting big botnets, in my special most bot loved domain ( i.e 1000 smtp bot cons per minute as spike ) i use iptables recent module invoked from rsyslog this should work with ipv6 too. In my case the rsyslog filter matches spamhaus rbl postscreen strings and avoids any more smtp cons from same ip for i.e one day. After that firewalling, the server and any other mail stuff has enough power left to work proper on "legal" smtp cons. This is not an ultimate everywhere solution, it needs massive log analyse before taking action that way, perhaps combine with some other modules like geoip To give you some ideas perhaps look at https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ sorry german too ,but tec side should be understandable anyway for sure there many other aspects more in this discussion question Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
