It too longer than it should, but there are now filters in place against the syn flood my server got on port 80 in addition to icmp attacks probably against DNS. They came from many different source addresses and were directed to my server only, so it was definitely a mildy competent DDOS attack. Peak traffic was about 20 Megabits, probably limited by the available network bandwidth.
None of this significantly affected SURBL performance, and things should be operating normally again now. We will be taking steps to further reduce the effects of attacks like this.
Until the SYN packets stop, the web site will remain down.
Would anyone like to help mirror the largely static and relatively tiny SURBL web site?
Jeff C. -- "If it appears in hams, then don't list it."
On Tuesday, February 1, 2005, 2:59:06 AM, Raymond Dijkxhoorn wrote:
Hi!
Until the SYN packets stop, the web site will remain down.
Would anyone like to help mirror the largely static and relatively tiny SURBL web site?
Sure, we can ake the content available on the rsync server for selected nodes...
That would be awesome if you could! Would you like to grab the entire "surbl" directory, say nightly...? That's the whole site.
Jeff C. -- "If it appears in hams, then don't list it."
Hi!
Sure, we can ake the content available on the rsync server for selected nodes...
That would be awesome if you could! Would you like to grab the entire "surbl" directory, say nightly...? That's the whole site.
Sure, but lets take this offlist.
People interested in running a html mirror for SURBL please contact me or JEff offlist so we can make arrangements.
Bye, Raymond.
The SURBL web site is up. We have better filtering in place if the attacks happen again.
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
The SURBL web site is up. We have better filtering in place if the attacks happen again.
Can you share, so those of us who want to mirror the site can have the same tools at our disposal?
David
On Tuesday, February 1, 2005, 4:14:18 AM, David Coulson wrote:
Jeff Chan wrote:
The SURBL web site is up. We have better filtering in place if the attacks happen again.
Can you share, so those of us who want to mirror the site can have the same tools at our disposal?
David
That would be great! If Raymond can grab it to the rsync server and folks can rsync it from there, I can set up round robin DNS for it.
About the only dynamic thing that would be somewhat useful to have running on each server is the name server checking scripts, which are a couple small perl ones, IIRC. They should run pretty much anywhere from a 5 minute cron job like I use:
# check name servers */5 * * * * /bin/sleep 36; cd /web/antispam/surbl; ./check-nameservers-replace
I will reorganize them slightly to run from the web directory.
Jeff C. -- "If it appears in hams, then don't list it."
On Tuesday, February 1, 2005, 4:21:02 AM, Jeff Chan wrote:
About the only dynamic thing that would be somewhat useful to have running on each server is the name server checking scripts, which are a couple small perl ones, IIRC. They should run pretty much anywhere from a 5 minute cron job like I use:
# check name servers */5 * * * * /bin/sleep 36; cd /web/antispam/surbl; ./check-nameservers-replace
I will reorganize them slightly to run from the web directory.
OK They're re-organized to run from the same directory. There are two perl scripts and one csh script, plus the crontab.
If you enable them, please edit paths, set up the cron job, and *disable the outage paging of me* (or substitute your own pager notification address).
Also needed is the zone-list:
http://spamcheck.freeapp.net/zone-list
which is currently symlinked into the web directory since it's used elsewhere.
Drop me a note when the site is ready and I'll add it to the DNS.
Any questions, let me know, and thanks! :-)
Jeff C. -- "If it appears in hams, then don't list it."
Jeff Chan wrote:
Would anyone like to help mirror the largely static and relatively tiny SURBL web site?
Yep :-)
David
-
David Coulson -
Jeff Chan -
Raymond Dijkxhoorn