[7758] in bugtraq
Re: News DoS using sendsys
daemon@ATHENA.MIT.EDU (Scott Gifford)
Wed Aug 26 19:38:45 1998
Date: Wed, 26 Aug 1998 18:06:09 -0400
Reply-To: Scott Gifford <sgifford@tir.com>
From: Scott Gifford <sgifford@TIR.COM>
X-To: Walter Hafner <hafner@in.tum.de>
To: BUGTRAQ@NETSPACE.ORG
>I think we (a local ISP in Augsburg/Germany ...) are hit by an DoS that
>wasn't described here before:
>
>Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests
>per day. The addresses of the people requesting the sendsys seem to be
>completely random. They all seem to be normal user-accounts. We see
>these sendsys requests for about a week now.
Yeah, this happened to us last week, only with many more than 100. We had
sendsys mailing us, and it *still* killed our server from all the mail and
shlock processes. We changed it to drop and killed off all of the processes
currently dealing with sendsys, and the problem went away.
There are supposed to be some options in Cleanfeed 0.95.7 and newer to
deal with this, as well as other nasty INN tricks. You can download it
from:
http://www.exit109.com/~jeremy/cleanfeed.html
ftp://ftp.exit109.com/users/jeremy/
-------Scott.
