Spammer/SYNFLood help needed

[thedaver]

My site was joe-jobbed by an a$$hole spammer and now someone else appears to have gotten unncessarily mad about it and launched a DDoS SYN Flood against my machines, which has had the desired effect of essentially crippling my smtp traffic (inbound) by tarpitting all my smtpd sessions with open SYNs

Any help suggested. Platform in RH linux with 2.4.24+ kernels running qmail.

Thanks!

Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/

 

[happydownloader]

Log all that you can and do a traceroute on them
Send thier provider detail about the attack
It is illegal to do this and the provider should drop them because of it

 

[Dalong]

You can recompile your kernel with SYN cookies activated. It will help you manage the Syn flood without problems (but it will do nothing against another kind of DOS, for example bandwidth-oriented).
But are you sure it's a SYN Flood DOS ?

 

[thedaver]

I have MEGAbytes of log files spewing SYN Flood warnings from IPTables. Every IP is different. Targetting port 25 TCP. WAY more than any amount of normal email traffic I'd get. I took down the smtpd service and the SYNFlood remains.

Hosting provider is putting up port-sentry which apparently tries to alter IPTables?! I've got a fairly complex IPTables implementation from "monmotha"'s script and I'm dubious of that working well.

Happydlder: I'm not sure I can traceroute from the existing log information since every IP is probably spoofed. Or, of course, I might REALLY be under attack by 25% of the Internet.... ;-)

More help appreciated.

Surfinbox.com Business Internet Services - National Dialup, DSL, T-1 and more.

http://www.surfinbox.com/business/

 

[Dalong]

If you took down your smtpd, that means you do not need the mail daemon for some time. So you can perform a quick test : change your DNS MX record and remove your server there (I suppose "your server" is the computer getting SYNFlooded; and, of course, I suppose you have secondary MXs somewhere).

If the flood stops (taking DNS propagation into account), this means it's your MX server that is targeted. Check if the secondary gets the load (it should). Someone is after you, but you know how to deviate the blow.

If the SYNflood continues, well, bad luck but that means it's your IP that is targeted (not your server as an MX). Did you recently changed IP ? That could explain a lot.

You should (but I think that's what you're already doing) work with your provider to trace back the flow. Where does it really come from, network-wise (source IPs are almost useless, as you said they are probably spoofed) ? Your provider should be able to see from which router it comes into his network and, step by step, get closer to the real source(s). With a little luck, everything comes from a few computers, and those can be identified.

Of course, if it's a DDos, this route tracing-back will not work for you.

To mitigate the problem, in every case, you may ask your provider to set up QoS, restrincting TCP/25 to something like 10% of your bandwidth.

Hth,