dccm failure under load

Gary Mills mills@cc.UManitoba.CA
Sat Jan 4 23:06:20 UTC 2003


`dccm' on our main mail server has been failing recently.  The likely
cause was an e-mail address harvesting attack from a compromised
workstation on a cable modem.  It was using hundreds of connections
to check random user names.

The first indication of trouble was:

Jan  4 01:34:56 electra dccm[21819]: [ID 109917 mail.error] DCC, mi_rd_cmd: read returned -1: Connection reset by peer

This was followed by:

Jan  4 09:25:31 electra dccm[21819]: [ID 125918 mail.error] DCC: accept() returned invalid socket (Too many open files), try again
Jan  4 09:25:31 electra dccm[21819]: [ID 925838 mail.error] dcc_mkstemp(/var/dcc/log/004/09/tmp.37CTm2): Too many open files

Here's how it appeared to sendmail, in a different incident:

Jan  2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.error] h026MGQe027811: Milter read(dcc): timeout before data read
Jan  2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.info] h026MGQe027811: Milter (dcc): to error state
Jan  2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.info] h026MGQe027811: Milter: from=<97rok@hotmail.com>, reject=451 4.7.1 Please try again later
Jan  2 00:24:28 electra sm-mta[27811]: [ID 801593 mail.info] h026MGQe027811: from=<97rok@hotmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=h24-66-73-149.wp.shawcable.net [24.66.73.149]

During the attacks, sendmail limits connections to 4 per second.  This would
be sufficient protection, if `dccm' wouldn't fall over.  Is there a way to
make `dccm' more resilient?

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.