# server attacks

## questionaire

hi there,

i'm currently having the problem that i'm under heavy attack all 2-3 days.

Normally thats not the problem - i secured ssh very well with sshdchain and so on, but i dont know what software part the attack goes to. i can describe you the symptons:

- number of process go up from 200 to 500

- cpu (dual core) is not heavily used (10-20%)

- cpu load goes up from 1 to 70(!!)

- ram (2gb) goes up from 1gb used to 2gb used

- swapping starts until the swap is full and the system locks up

i dont know how i can figure out whats wrong here. first of all i thought that it may be an attack to php. but last night i was able to have a look at "ps auxf" until the attack occured. not really many php processes were running.

now i'm focusing postfix and postgrey, because the number of open connections to port 25 and 10030 are really high.

do you have any ideas how or if i can restrict those connections? how to find out more information? or even have an idea where this could come from?

regards,

q

----------

## smerf

use wireshark/dumpcap/tcpdump to see incoming packets

----------

## questionaire

i can't monitor and store every single packt on a machine that generates 200gb traffic per month and this for hours or even days!

----------

## ukavi

maybe the reason that you have so much load is... that you have a lot of load :-/

also, you don't have to monitor constantly, just until you know what's causing the trouble

----------

## questionaire

the load normally is only between 0.8 and 2.5 - so that is not much load.

it only explodes on those attacks.

and: i dont know what it is or when the next attack starts. its like sitting on a timebomb

----------

## gimpel

If you suspect postfix, check if you didn't accidently create an open relay.

http://www.checkor.com/

http://www.abuse.net/relay.html

----------

## questionaire

i did all the checks - no open relay. but we know that a customer using this postfix server is heavily under spam attack (2-5 msgs per second).

the server can handle this easily, but maybe those "attacks" are just a bunch of more spammers launching their spamming software (e.g. up to 20msgs /second).

in combination with postgrey this may be the reason of the heavy memory usage and then swapping?!

(just thoughts)

----------

## gimpel

 *questionaire wrote:*   

> i did all the checks - no open relay. but we know that a customer using this postfix server is heavily under spam attack (2-5 msgs per second).
> 
> the server can handle this easily, but maybe those "attacks" are just a bunch of more spammers launching their spamming software (e.g. up to 20msgs /second).
> 
> in combination with postgrey this may be the reason of the heavy memory usage and then swapping?!

 

Sure.

I'd try to check logs etc and find out who sends/gets how much and how much of it is spam etc. Like some postgrey stats..

http://www.fi.muni.cz/~kas/blog/index.cgi/computers/postgrey-statistics.html

----------

## questionaire

the script doesnt work here. i will try to find a better one.

we know what email adress is under heavy attack and we dont have a mailbox installed for it! so we know that we drop all those emails, but the frequency of sending spam there is unbelievable

----------

## Hu

How many unique IP addresses are making the suspicious connections?  If there are not too many, you could simply blacklist those IP addresses in a firewall as a temporary defense: iptables -t nat -I PREROUTING 1 -s spammer-IP-address -j DROP.  It would still be good to determine why they are able to kill your system like this, but this may protect you in the interim.

The load average is likely a result of having many victim processes that are ready to run, but cannot be run because they need data that has been paged out to make room for other victim processes.  If you can prevent the victim processes from consuming so much memory, that should solve both your load average and your system hang.

----------

## questionaire

hi there,

i dropped the support of greylisting now on all servers - the coming night will see if that was the problem. i dont know the ip adresses of the spammers. most of the time the server does not answer from one second to the next. its unbelievable fast.

----------

## questionaire

wow thats more than strange now, an attack occured right now and i was able to save "netstat -an" "ps aux" and "ps auxf" to see what process uses that much memory - the result was shocking:

```

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND

root     27261 14.7 88.0 2778524 1812248 ?     Ds   09:06   0:18 /usr/sbin/spamd -d -r /var/run/spamd.pid -m 5 -c -H

```

----------

## belrpr

 *questionaire wrote:*   

> wow thats more than strange now, an attack occured right now and i was able to save "netstat -an" "ps aux" and "ps auxf" to see what process uses that much memory - the result was shocking:
> 
> ```
> 
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
> ...

 

Didn't found this shocking.

If you suspect a spamattack then it is just logical that it is your anti-spam.

----------

## questionaire

simply found it shocking that spamd uses 88% of memory.

disabled spamc now, i will have a look if there are no downtimes anymore and then i will see what i can do against it

thanks for your help, if you have any further ideas, please let me know

----------

