Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Thousands of SMTP Connect / Timeouts from same IP -> DoS attack?
1 view
Skip to first unread message
Mail Man
Feb 23, 2014, 10:29:10 AM2/23/14
to
I see this happen several times a day, but 99.9% of the time it's just a
single SMTP connect/timeout pair, repeated maybe 3 or 4 times over a 24
hour period, each time from a different IP address. Sometimes, instead
of a single connect/timeout, it will be a string of maybe a dozen.
Then maybe once every other month I'll see a sequence of hundreds or
even a few thousand connects/timeouts - like what happened yesterday
morning.
This is on my SMTP server. Here's an example:
------
20140222055948-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222055951-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222055956-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222055958-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060002-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222060006-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060010-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222060013-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060018-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222060020-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060025-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
-------
The "9:0:22" means
- the time of the total connection (9 seconds)
- the number of messages exchanged (zero)
- the total amount of data transferred (22 bytes)
Between 4:35 am until 8:35 am yesterday (exactly 4 hours to the second)
my server was answering SMTP connect requests from 98.190.158.7, a
total of 2204 attempts which works out to an average of one attempt
every 6.5 seconds.
A graph of the time between connections over the 4 hours shows quite
erratic times for the first 1/2 hour, alternating between 3 to 12
connections per second and then nothing for 1 to 2 minutes before
repeating. Then during the next 3.5 hours it settles very quickly into
a tighter spread of between 2 to 12 seconds between connections.
Also during the first half-hour, the connect-time rises quickly to 80
seconds, then levels off at 120 seconds, and then falls quickly to a
rock-solid floor of 9 seconds during the remaining 3.5 hours.
For the first 4 or 5 attempts, the number of bytes transferred was 22,
but then drops to 0 during the first 1/2 hour, then goes right back to
22 bytes for the remaining 3.5 hours.
If these were attempts to deliver email to non-existent accounts, or
relay attempts to other domains (both of which I've seen happen) they
would be indicated as such in the log files (which I don't see here).
So what-ever is happening during these connections is not the result of
a dictionary attack or a relay attempt.
So I'm wondering what is really going on here.
Is this a DoS attempt on my server from a single IP (98.190.158.7) or
from multiple computers - all of which are forging the same IP?
If the IP is being forged - would it cause my server to generate
responses aimed at 98.190.158.7 - which would be a way to use my server
as DoS tool against 98.190.158.7 ?
Or is this all this a (known) symptom of a broken spam-bot?
single SMTP connect/timeout pair, repeated maybe 3 or 4 times over a 24
hour period, each time from a different IP address. Sometimes, instead
of a single connect/timeout, it will be a string of maybe a dozen.
Then maybe once every other month I'll see a sequence of hundreds or
even a few thousand connects/timeouts - like what happened yesterday
morning.
This is on my SMTP server. Here's an example:
------
20140222055948-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222055951-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222055956-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222055958-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060002-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222060006-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060010-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222060013-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060018-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
20140222060020-0500:SMTP-Accept:Connect:[98.190.158.7]
20140222060025-0500:SMTP-Accept:Timeout:[98.190.158.7]:9:0:22
-------
The "9:0:22" means
- the time of the total connection (9 seconds)
- the number of messages exchanged (zero)
- the total amount of data transferred (22 bytes)
Between 4:35 am until 8:35 am yesterday (exactly 4 hours to the second)
my server was answering SMTP connect requests from 98.190.158.7, a
total of 2204 attempts which works out to an average of one attempt
every 6.5 seconds.
A graph of the time between connections over the 4 hours shows quite
erratic times for the first 1/2 hour, alternating between 3 to 12
connections per second and then nothing for 1 to 2 minutes before
repeating. Then during the next 3.5 hours it settles very quickly into
a tighter spread of between 2 to 12 seconds between connections.
Also during the first half-hour, the connect-time rises quickly to 80
seconds, then levels off at 120 seconds, and then falls quickly to a
rock-solid floor of 9 seconds during the remaining 3.5 hours.
For the first 4 or 5 attempts, the number of bytes transferred was 22,
but then drops to 0 during the first 1/2 hour, then goes right back to
22 bytes for the remaining 3.5 hours.
If these were attempts to deliver email to non-existent accounts, or
relay attempts to other domains (both of which I've seen happen) they
would be indicated as such in the log files (which I don't see here).
So what-ever is happening during these connections is not the result of
a dictionary attack or a relay attempt.
So I'm wondering what is really going on here.
Is this a DoS attempt on my server from a single IP (98.190.158.7) or
from multiple computers - all of which are forging the same IP?
If the IP is being forged - would it cause my server to generate
responses aimed at 98.190.158.7 - which would be a way to use my server
as DoS tool against 98.190.158.7 ?
Or is this all this a (known) symptom of a broken spam-bot?
0 new messages