[ale] Being used in a DOS attack against others

Bao C. Ha bao at hacom.net
Thu Aug 8 15:03:19 EDT 2002 

On Thu, Aug 08, 2002 at 02:21:32PM -0400, David Bronson wrote:

Hi Michael,

If the IP of the sender is static, you can just blackhole it.
You can also have procmail to blackhole the bounce mails to
a certain domain.

Personally, I don't think it is a problem.  It is a normal
behavior for the mails to be bounced back.  It is only a
problem when it becomes double-bounced and so on.  I think
the sys admin at attackedcompany.com should be the one to
reconfigure his mail server to temporarily dropping all of
the MAILER-DAEMON mails.  It is not reasonable to contact
everyone involved while they can do a much better job at
their end.

Thanks.
Bao

> 
> We drop mail to non-existent users, it isn't so helpful to the few
> senders with legitimate bad addresses, but we don't have many problems
> like you describe either.
> 
> David Bronson
> 
> On Thu, Aug 08, 2002 at 09:48:25AM -0400, Michael Hirsch wrote:
> > Someone has been using our mail server to amplify a DOS attack against
> > some other mail servers.  It works like this.  Then send a mail to
> > randomuser at nubridges.com with a return address of attackedcompany.com. 
> > Since random user does not exist we send a reply that the user does not
> > exit to attackedcompany's mail server.  So we flood their mail server.
> > 
> > I've never seen this attack before, though it seems quite simiple.  Is
> > this a well know DOS attack?  Has anyone else been experiencing this? 
> > 
> > It seems to have stopped this morning, but it was ongoing for the last
> > two days.
> > 
> > --Michael
> > 
> > 
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> > sent to listmaster at ale dot org.
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.

-- 
Bao C. Ha                    voice: (310) 675-3510
8D66 6672 7A9B 6879 85CD  42E0 9F6C 7908 ED95 6B38
Primary Perpetrator of "Slackware Linux Unleashed"

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list