[65351] in Cypherpunks
Re: PANIX.COM down: denial of service attack
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Sep 13 00:42:04 1996
To: M C Wong <mcw@hpato.aus.hp.com>
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Fri, 13 Sep 1996 14:16:51 EST."
<199609130416.AA198858212@relay.hp.com>
Reply-To: perry@piermont.com
Date: Fri, 13 Sep 1996 00:21:50 -0400
From: "Perry E. Metzger" <perry@piermont.com>
M C Wong writes:
> > > Can't access to this port be guarded against by a filtering
> > > router which is configured to accept *only* a number of
> > > trusted MX hosts ?
>
> > Sure -- if you only want to accept mail from fifteen machines on
> > earth. If on the other hand your users might get mail from anywhere on
> > earth, your mail ports have to be open to connections from anywhere.
>
> No, I am saying that we use MX field in DNS to specify our MX hosts, so
> other hosts from anywhere else will timeout connecting to the target smtp
> while trying to deliver mails directly to it, and hence will have to send
> the message to next best MX host instead, and the firewall is configured
> to permit access *only* from those MX hosts.
>
> The problem here becomes how one can protect all those MX hosts instead.
You can't. All you are doing is moving the problem. I don't see how
that could be of any possible interest. The machines in question are
already the MX hosts for the zone.
Perry