Home / server / Questions / 498979
Accepted
xpda
Asked: 2013-04-13 20:35:20 +0800 CST

Thousands of port 25 connections

  • 772

Tonight a few IP addresses made almost 2500 connections on port 25 of a mail server. 2500 is the max limit, and 50 or less simultaneous connections is normal. They did nothing once they made the connection. The IP addresses belong to Facebook outgoing mail servers, but of course they could have been faked. Has anybody had any experience with something like this? Is there a good way to prevent it from happening?

"TCPIP" 3808 "2013-04-12 21:37:19.787" "TCP - 66.220.155.135 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.787" "TCP - 66.220.155.137 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.819" "TCP - 66.220.144.163 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.819" "TCP - 66.220.144.137 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 69.171.232.166 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.155.138 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.155.154 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.144.150 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.161 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.157 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 69.171.232.142 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.152 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.147 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.139 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.161 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.943" "TCP - 66.220.155.154 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.943" "TCP - 66.220.155.159 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.959" "TCP - 66.220.144.166 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.975" "TCP - 66.220.144.155 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.990" "TCP - 69.171.232.163 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:20.006" "TCP - 66.220.155.147 connected to 12.186.192.3:25."
smtp

2 Answers

  1. Best Answer

    Since you can tell whom the servers belong to:

    1. take a tcpdump showing the connection establishment and initial exchange with your mail server
    2. write a mail to the abuse/technical contact of the organization maintaining the servers
    3. rate-limit the incoming connections from the "troublesome" servers to a sane value so they would not impair your ability to receive other mail
    4. disrupt the "hanging" connections e.g. by restarting the mail server
    5. notify users about the fact that mails from @facebook.com are likely to arrive late or not at all as long as the problem remains unfixed
    • 2

  2. Looks like your smtp server is under some sort of denial of service attack, the source IPs are very likely be faked i.e. spoofed (I would if I were to DoS attack a sever). The best strategy is to deploy IP filtering to block out these addresses until the attack is gone.

    • 0