[65351] in Cypherpunks

home help back first fref pref prev next nref lref last post

Re: PANIX.COM down: denial of service attack

daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Sep 13 00:42:04 1996

To: M C Wong <mcw@hpato.aus.hp.com>
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "Fri, 13 Sep 1996 14:16:51 EST."
             <199609130416.AA198858212@relay.hp.com> 
Reply-To: perry@piermont.com
Date: Fri, 13 Sep 1996 00:21:50 -0400
From: "Perry E. Metzger" <perry@piermont.com>


M C Wong writes:
> > >            Can't access to this port be guarded against by a filtering
> > > 		 router which is configured to accept *only* a number of
> > > 		 trusted MX hosts ?
> 
> > Sure -- if you only want to accept mail from fifteen machines on
> > earth. If on the other hand your users might get mail from anywhere on
> > earth, your mail ports have to be open to connections from anywhere.
> 
> No, I am saying that we use MX field in DNS to specify our MX hosts, so
> other hosts from anywhere else will timeout connecting to the target smtp
> while trying to deliver mails directly to it, and hence will have to send 
> the message to next best MX host instead, and the firewall is configured 
> to permit access *only* from those MX hosts.
> 
> The problem here becomes how one can protect all those MX hosts instead.

You can't. All you are doing is moving the problem. I don't see how
that could be of any possible interest. The machines in question are
already the MX hosts for the zone.

Perry

home help back first fref pref prev next nref lref last post