[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PANIX.COM down: denial of service attack
M C Wong writes:
> > > Can't access to this port be guarded against by a filtering
> > > router which is configured to accept *only* a number of
> > > trusted MX hosts ?
>
> > Sure -- if you only want to accept mail from fifteen machines on
> > earth. If on the other hand your users might get mail from anywhere on
> > earth, your mail ports have to be open to connections from anywhere.
>
> No, I am saying that we use MX field in DNS to specify our MX hosts, so
> other hosts from anywhere else will timeout connecting to the target smtp
> while trying to deliver mails directly to it, and hence will have to send
> the message to next best MX host instead, and the firewall is configured
> to permit access *only* from those MX hosts.
>
> The problem here becomes how one can protect all those MX hosts instead.
You can't. All you are doing is moving the problem. I don't see how
that could be of any possible interest. The machines in question are
already the MX hosts for the zone.
Perry