[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PANIX.COM down: denial of service attack




M C Wong writes:
> > >            Can't access to this port be guarded against by a filtering
> > > 		 router which is configured to accept *only* a number of
> > > 		 trusted MX hosts ?
> 
> > Sure -- if you only want to accept mail from fifteen machines on
> > earth. If on the other hand your users might get mail from anywhere on
> > earth, your mail ports have to be open to connections from anywhere.
> 
> No, I am saying that we use MX field in DNS to specify our MX hosts, so
> other hosts from anywhere else will timeout connecting to the target smtp
> while trying to deliver mails directly to it, and hence will have to send 
> the message to next best MX host instead, and the firewall is configured 
> to permit access *only* from those MX hosts.
> 
> The problem here becomes how one can protect all those MX hosts instead.

You can't. All you are doing is moving the problem. I don't see how
that could be of any possible interest. The machines in question are
already the MX hosts for the zone.

Perry