«

In article <pan.2005.05.14.02.20.48.223486@TRACKER> in nz.comp on Sat, 14
May 2005 14:20:48 +1200, Bling-Bling <> says...
> On Fri, 13 May 2005 21:31:37 +1200, Rob J wrote:
>
> >> There aren't any viruses that can damage a modern properly configured and
> >> maintained *nix server.
> >
> > But if you get a virus causing machines to send floods of emails, that
> > can affect any server.
>
> And if that server is properly configured and maintained, then the fact
> that many clients are attempting to pass emails to it should not affect
> the ability of that server to do what it does normally.
>
> What will be affected is the ability of clients to contact the server, due
> to the high number of other users also attemting to do the same.
>
> A properly configured server will have a pre-determined maximum number of
> concurrent connections configured and will not accept more, and will drop
> any further attempts until the number of concurrent connections falls
> below that threshold.
>
> That maximum number should be set according to the capacity of the
> server's hardware, and of the bandwidth available to it.
>

It may be easy for you to say this with your own server with a tiny
amount of traffic passing through it.

It's a whole different ballgame when an ISP gets what is effectively a
DOS attack with a flood of traffic, who knows, 10x or even more of the
normal amount of traffic.

At the very least there will be obvious network congestion from the
traffic into and out of the server.

What do you suppose is happening when the server is dropping connections?
Could it be that people are finding it difficult to use the server?

In article <pan.2005.05.14.05.24.25.410157@TRACKER> in nz.comp on Sat, 14
May 2005 17:24:25 +1200, Bling-Bling <> says...
> On Sat, 14 May 2005 15:00:20 +1200, Stewart Fleming wrote:
>
> > Unfortunately, a coordinated Denial of Service attack will be exactly
> > that against such a configuration. If an attacker coordinates traffic
> > to your host, then all your connections are used by the attacker and
> > denied to your customers.
>
> But your server will survive the attack - until you yourself choose to
> take it offline or disconnect service to those customers.
>
> I think it's simple to add into a service contract that if the connection
> be used for such attacks such as DOS, then the ISP reserves the right to
> discontinue providing connectivity to that client until further notice.
>
> Now wouldn't that encourage users to be just a wee bit more vigilant?
> Actually, probably not.

In this case we are not talking about one client. It may be referring to
hundreds or even thousands.

In article <pan.2005.05.14.06.44.36.723082@TRACKER> in nz.comp on Sat, 14
May 2005 18:44:37 +1200, Bling-Bling <> says...
> On Sat, 14 May 2005 18:14:43 +1200, Stewart Fleming wrote:
>
> > You need a better solution where you coordinate with upstream providers
> > to identify, then scrub or throttle DoS traffic.
>
> The context I had in mind was an EMAIL server.
>
> Most ISPs do not permit connections to SMTP servers from outside of their
> network.
>
> In that context it would be very easy to control against DOS/virus
> attacks.
>
> All it owuld require is the WILL to disconnect acounts from zombie
> computers.

We are talking about one particular ISP. The most obvious and likely
source of the traffic is customers of that ISP. As such they have
guaranteed access to the SMTP server of Paradise.

On Mon, 16 May 2005 09:21:58 +1200, Rob J wrote:

>> A properly configured server will have a pre-determined maximum number of
>> concurrent connections configured and will not accept more, and will drop
>> any further attempts until the number of concurrent connections falls
>> below that threshold.
>>
>> That maximum number should be set according to the capacity of the
>> server's hardware, and of the bandwidth available to it.
>>
>
> It may be easy for you to say this with your own server with a tiny
> amount of traffic passing through it.
>
> It's a whole different ballgame when an ISP gets what is effectively a
> DOS attack with a flood of traffic, who knows, 10x or even more of the
> normal amount of traffic.
>
> At the very least there will be obvious network congestion from the
> traffic into and out of the server.
>
> What do you suppose is happening when the server is dropping connections?
> Could it be that people are finding it difficult to use the server?

If under normal conditions the server is operating *that* close to the
limit of the bandwidth available to it, then one would have thought that
it was past time for an additional server and/or additional bandwidth.


Bling Bling

--
IBM: "Linux is not just another operating system. It represents a
collaboration of the best programmers in the industry coming together to
create an operating system that works on any hardware platform."

On Mon, 16 May 2005 09:22:05 +1200, Rob J wrote:

> We are talking about one particular ISP. The most obvious and likely
> source of the traffic is customers of that ISP. As such they have
> guaranteed access to the SMTP server of Paradise.

I was under the impression that no ISP guarantees any part of their
service.


Bling Bling

--
IBM: "Linux is not just another operating system. It represents a
collaboration of the best programmers in the industry coming together to
create an operating system that works on any hardware platform."

Bling-Bling wrote:
>>>A properly configured server will have a pre-determined maximum number of
>>>concurrent connections configured and will not accept more, and will drop
>>>any further attempts until the number of concurrent connections falls
>>>below that threshold.

>>>That maximum number should be set according to the capacity of the
>>>server's hardware, and of the bandwidth available to it.

>>It's a whole different ballgame when an ISP gets what is effectively a
>>DOS attack with a flood of traffic, who knows, 10x or even more of the
>>normal amount of traffic.
>>At the very least there will be obvious network congestion from the
>>traffic into and out of the server.
>>What do you suppose is happening when the server is dropping connections?
>>Could it be that people are finding it difficult to use the server?

> If under normal conditions the server is operating *that* close to the
> limit of the bandwidth available to it, then one would have thought that
> it was past time for an additional server and/or additional bandwidth.

thats right... I forgot that all ISPs have unlimited cash to throw at
servers that are performing their job as they are and obviously need to
be faster.

Bling-Bling wrote:
>>We are talking about one particular ISP. The most obvious and likely
>>source of the traffic is customers of that ISP. As such they have
>>guaranteed access to the SMTP server of Paradise.

> I was under the impression that no ISP guarantees any part of their
> service.

from most T&Cs, yep, thats true.

Bling-Bling wrote:
> On Mon, 16 May 2005 09:21:58 +1200, Rob J wrote:
>
>
>>>A properly configured server will have a pre-determined maximum number of
>>>concurrent connections configured and will not accept more, and will drop
>>>any further attempts until the number of concurrent connections falls
>>>below that threshold.
>>>
>>>That maximum number should be set according to the capacity of the
>>>server's hardware, and of the bandwidth available to it.
>>>
>>
>>It may be easy for you to say this with your own server with a tiny
>>amount of traffic passing through it.
>>
>>It's a whole different ballgame when an ISP gets what is effectively a
>>DOS attack with a flood of traffic, who knows, 10x or even more of the
>>normal amount of traffic.
>>
>>At the very least there will be obvious network congestion from the
>>traffic into and out of the server.
>>
>>What do you suppose is happening when the server is dropping connections?
>>Could it be that people are finding it difficult to use the server?
>
>
> If under normal conditions the server is operating *that* close to the
> limit of the bandwidth available to it, then one would have thought that
> it was past time for an additional server and/or additional bandwidth.
>
If you limit access to your server at 100% of its resources,
and an attack maxes it out, your ordinary customers are
denied access. It doesn't matter if you do that or you
don't limit it. The only effect is that your customers
cannot get to the server. A server that is maxed out by a
DoS does NOT normally fall over. Though it looks like it
from the customer's end.

I can't talk for all mail server users, but I'd have thought
that it is rare to specifically to tune a mail server to
*restrict* traffic. Usually the problem is to get the
throughput.

Chers,

Cliff


--

Barzoomian the Martian - http://barzoomian.blogspot.com

In article <pan.2005.05.16.14.36.51.411301@TRACKER> in nz.comp on Tue, 17
May 2005 02:36:53 +1200, Bling-Bling <> says...
> On Mon, 16 May 2005 09:21:58 +1200, Rob J wrote:
>
> >> A properly configured server will have a pre-determined maximum number of
> >> concurrent connections configured and will not accept more, and will drop
> >> any further attempts until the number of concurrent connections falls
> >> below that threshold.
> >>
> >> That maximum number should be set according to the capacity of the
> >> server's hardware, and of the bandwidth available to it.
> >>
> >
> > It may be easy for you to say this with your own server with a tiny
> > amount of traffic passing through it.
> >
> > It's a whole different ballgame when an ISP gets what is effectively a
> > DOS attack with a flood of traffic, who knows, 10x or even more of the
> > normal amount of traffic.
> >
> > At the very least there will be obvious network congestion from the
> > traffic into and out of the server.
> >
> > What do you suppose is happening when the server is dropping connections?
> > Could it be that people are finding it difficult to use the server?
>
> If under normal conditions the server is operating *that* close to the
> limit of the bandwidth available to it, then one would have thought that
> it was past time for an additional server and/or additional bandwidth.

What is "normal" about a DOS type attack?

In article <pan.2005.05.16.14.38.13.568257@TRACKER> in nz.comp on Tue, 17
May 2005 02:38:13 +1200, Bling-Bling <> says...
> On Mon, 16 May 2005 09:22:05 +1200, Rob J wrote:
>
> > We are talking about one particular ISP. The most obvious and likely
> > source of the traffic is customers of that ISP. As such they have
> > guaranteed access to the SMTP server of Paradise.
>
> I was under the impression that no ISP guarantees any part of their
> service.

Under normal circumstances, any customer who connects to their ISP will
have automatic access to the SMTP server.