Citizens of the Marshall Islands in the South Pacific have been left without a functioning email systems following a denial of service attack on the country's sole ISP. It could take days to full restore service, the general manager of the Marshall Islands National Telecommunications Authority (NTA) told Radio New Zealand …
Wilting under pressure
...try qmail - running on an inexpensive current spec box, it'll cope easily with 500 connections per second...
Compile in a few of the funkier qmail mod patches, and 'what DOS?'.
(Mines the one with 'Dan Bernstein Fanclub' on the back)
Is this country a purveyor of spam? Somebody may be trying to prevent spam.
It's the number of open connections that's problematic
I don't think they would have issues with 500 normal, short connections per second. The article talks about 'constantly locking' their servers to zombies. This looks to me like the zombies opened long-lasting connections at a rate of 500 per second.
With that strategy, you quickly exhaust the available number of slots for TCP connections on a system. Even qmail wouldn't help then, because the TCP connection would be rejected on a much lower level by the TCP stack already.
You need to set an aggressive, small TCP timeout on your server to combat that strategy. Even so: If the rate of new connections is too high, you will still have problems.
With even a small botnet, you can hammer a server with several thousand connections per second.
Trial run, maybe? Checking the botnet's capabilities out for synchronised activity?
So, who's next?
proable some pleb
not happy with his service decided to teach the isp a lesson and downed his self while he was at it proable now moaning at them he can't play wow
Another reason to write ...
Event-driven servers! No forking, disk access or memory allocation unless necessary! Memory to kernel network buffers and huge fd counts! Then we can devote RAM to where it's really needed and a DoS won't actually impact the server more than needed given sensible policies even when under severe assault.
Course, I don't want you to think botmasters are harmless or easy to defeat. They aren't. But that's another problem for the architects of the Internet and the service providers to work out between them. But for now, I want to encourage sensible uses of system resources, and qmail (qmail!!!) doesn't do that. Nor do the other MTAs in common use, but IMHO qmail is quite the worst because everything is a process and is never resident. 500 incoming connections means 500 individual smtpd process startups from nill; however fast that is, it's a bloody waste and is dreadfully slow compared to chatting at once!
Alright, I'll stop now.
Anon because the qmail molesters are everywhere! EVERYWHERE! And they're coming to get me!!!
THE MELT DOWN CAUSE WAS SPAM
THE PROBLEM WITH THE INTERNET IS SPAM. THE GOV AND THE IP SHOULD STOP THE SPAM
I suspect that the Marshalls are running off a satellite connection which would make the problem really difficult to deal with. With a one second turn around on your first IP hop out of the country you can't have short timeouts on anything.
Sounds to me like someone doing a test run.
Paris - Because the signals will be going through a lot of air before they get anywhere.
And where be the main US Star Wars interception long range missile test facility be but at an atoll that starts with a K within the Marshall island Group , along with a few island atolls that glow unnaturally in the dark for the next 25,000 years or so from weapons research post 1945 until circa 1963 ?
even bikini itself is low-background underwater. you can actually scuba in the main bays and "bowls" safely. the abovewater has some metallic "hotspots" but has "cooled" to fairly safe levels. Discovery or nat geo did an article on it several years back. most of the fallout has been washed, swept , and deep-buried by ol' ma nature over the years since any of those lil' bangs last went off. you can even dive around the wrecks. ....and the place "starting with k" is also the site of a cruiser and destroyer escort running gun battle from when us forces closed with the jap fleet and sank many tons of jap warships and miscellaneous support craft with moderate losses of their own. all make for great dives... in addition to that, the prinz eugen was being towed back from the bikini area, and turned turtle off "the k place" where you can see it's aft keel jutting out of the water. recently, someone managed to filch the massive props off it's arse without getting caught. Brass for bronze,no?
BLACK CHOPPERS OF DOOM because some moron will think secrets are involved regarding a widely public-published location that's been on newspaper front pages and in dozens of books and magazines during it's naval,nasa,airforce, and special interest group affiliations! :0
@tim not a numbers man I see !
@tim , surely you jest , but there is no such thing as safe radiation levels as it is cumulative in it's effect as my old physics professor used to say and only requires a minor change in DNA to cause measurable long term damage !
However , since a number of these weapons involved the use of pure plutonium the majority of which is not consumed in the chain reaction explosion by the way and whose toxic effects are off scale too!
You appear to have forgotten to mention the bulk of the early Radiation Researchers died quiet young from assorted lethal career self induced cancers or what happened to large number of miners hired to work the US Uranium mines with no attention to any mine safety standards period . Or the even more unfortunate "Radiation Girls" (the company involved in that scam pulled strings in high places to avoid paying up like real men !). Then go on to miss some five hundred square miles of closed , sealed and uninhabitable land almost impossible to clean up with current technology for the next 25,000 years in a place called Hanford , Washington State where the Columbia River flows(Generation one reactors were all open loop direct river water cooled) or the many evil illegal without consent tests conducted on the states inhabitants allegedly in the name of science but more like war crimes exposed in a place called Nuremberg carried out in two other countries if truth be told .
I seem to recall that the US government now has on very urgent recall the several million odd samples of a substance called trinityite glass that was foolishly handed out quite freely to tourists to ground zero not all that long ago because of it's hidden long term effect of slowly killing the owner by degrees but that be another tale !
Yeah , as they say the radiation industry and the old test sites are truly safe until you run the numbers game relative to occupations and then the cluster effect clearly shows through !
Such is life , for we all live and die by numbers in this universe !
As for the Heavy Cruiser "The Prinz E." , the intertubes has all the answers for questions about what really happened to the missing three props !
Sure there's safe levels.
@heystoopid, sure there's safe levels. It's like any other type of energy -- if you go out in the sun for an hour you're fine, go under a high intensity tanning lamp for an hour you're burned, go under something 10x stronger you're probably burned to a crisp. Low enough intensities won't even penetrate skin; and to deal with cosmic rays etc., cells repair DNA damage, so low counts per minute of higher-intensity radiation doesn't cause a problem either. Is this island safe? No idea, I'd assume there's some hot spots that would make it not safe to reinhabit.
No one's forgotten about early radiation researchers OR uranium miners... they were regularly exposed to high levels of radiation.
As for trinitite -- I did some googling, the Trinity site was buried shortly after the blast for security reasons apparently.. so despite there being a 10 foot deep by 1100 foot section of it, there's not lots in circulation. But I found no mention anywhere of anyone actually trying to withdraw the existing samples from circulation.
Time to install Postfix
And drop smtpd_timeout to less than 30 sec. And install fail2ban so that rejected/dropped hosts that try again too many times within a specified time period (I'd make it more than 3 times in 6 hours, if I was getting hammered like that) get banned at the IP level.
How to defend against this
There are two defenses, which I would personally use in tandem.
The first is identifying your known legitimate email sources - where do you get 90% of your good email from? Reserve a few TCP connections for just these hosts. With this, an attack like the above may degrade your service, but you can still get some mail from where it matters most.
The second is using a dynamic firewall, which updates itself based on connection activity. The specific rule here is that sites that connect and do not send email for the command timeout period get added to the deny rule for a day per time they do this. This rule will of course not stop the whole attack, because there will be too many IPs to gather in too short a time. To augment it, one could put in a rule that if greater than 50% of the allowable connections are engaged in behavior similar to this, dynamically reduce the command timeout period, until we either reach a configured minimum time (say, 10 seconds) or the situation stabilizes.
Of course, the real trick here is having a dynamic firewall product that lets one do this.
During the attack it is likely your servers behind the IP addresses targeted by the botnet will not deal with the flow, no matter qmail / rbldns etc..
What I would do: block all incoming smtp traffic but from yahoo, hotmail, and the top 3 ISP my customers deal with ( use of SPF records to create firewall rules - of course I treate ~all as -all ).
Then quickly rent some servers anywhere in the world ( any linux virtual server for $10 a month will do ), declare it as MX for my domain, put in iptable rule to limit the the rate on incoming smtp traffic on it and tunnel the smtp traffic to my servers.
It's a lot of manual work, but in 2 or 3 hours, for less than $150, one admin can have maybe up to 20 new mx ip addresses. If the attacker just sticks blindly to the initial ip addresses ( and believes he succeeds since you are blocking all his traffic at firewall level ), you have a sporting chance of having a degraded but functionning service. If the attacker follows your mx ip addresses you can rotate them on your pool or extend your pool, or both, and in parrallel analyze your logs and prepare a mega iptable rule to stop the botnet.