[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2.99.55 caused DoS attack
On Fri, Apr 11, 2003 at 01:21:01PM -0500, Roy Bixler wrote:
> My day today has been rather "interesting" so far.
> Campus networking twice had to disable the network port for our
> Z-Mailer 2.99.55 mail server due to DoS attack on their name servers.
> The first time, I had already concluded that a transport agent was
> responcible. It was trying to resolve an MX to mx0.onemustfall.com
> and making constant queries to the DNS to do that. It was most likely
> a piece of bounced spam and certainly onemustfall.com has defective DNS
> records, but it's equally a mystery why it would cause the transport
Single message ? Or hundres of them ?
(and all to that domain ?)
> agent to bomb our DNS servers. In the interest of getting our mail
> server back on the network as soon as possible, I deleted all the spam
> from the postoffice. After re-starting Z-Mailer, the problem was solved.
That domain is yielding SERVFAIL, I recall something of that type
was once upon a time causing quick loop kind of problems.
I pulled the 2.99.55 version, and compiled it.
There is test tool 'getmxrr-test', which tests the DNS lookup facility.
Indeed that tool should be in your $MAILBIN/ directory, too.
$MAILBIN/getmxrr-test mx0.onemustfall.com
In my test system, the freshly compiled 2.99.55 version runs very slowly.
(Observed by running it in strace ) Same as does up to date CVS version.
There have been glibc related problems, which may cause some problems of
their own, e.g. address lookups spin fast.
> The system is running Debian woody on x86 with Linux
> v. 2.4.19-pre7aa1. The ZMailer is the 2.99.55-3 Debian packaging, but
> looking at the Debian patches, no significant changes were made to
> ZMailer source code to produce the package. One other interesting
> note is that I had 3 nameserver entries in my /etc/resolv.conf file
> and our campus DNS people were complaining that, in addition to the
> DoS attack, DNS queries were going out to all 3 nameservers at once.
>
> In the aftermath, I configured a BIND9 caching DNS server on localhost
> and added a special route for messages to the 'onemustfall.com' domain:
>
> .onemustfall.com bitbucket!
>
> If it would be useful for debugging, I could try to dig up the exact
> message causing the problem. Even better, hopefully this bug has been
> fixed already and my problem is running an old version of ZMailer.
Do look at what the getmxrr-test tool does.
If runs very fast, it would definitely indicate something to be amiss.
Possibly in system libc ...
Reading the ChangeLog file, I have done some changes relating to
that a week after 2.99.55-patch1 was published. I can't say for
sure of those might help.
> TIA,
> --
> Roy Bixler <rcb@ucp.uchicago.edu>
--
/Matti Aarnio <mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi