[Mailman-Users] Defending against DDOS style scanning

[Stephen J. Turnbull]

Gretchen R Beck writes:

 > We had a group of machines hit our mailman server hard last night
 > -- trying all the advertised lists and their corresponding URLS.
 > After shutting down and restarting the webserver, the attempts
 > stopped.

This doesn't tell us enough to give useful advice, because there are a
wide variety of attacks that could be described with the above words.
There is no way to protect against all of them.  Some, you just have
to ride out.  Others, you need cooperation from your provider and
sometimes the backbone providers.  Some, you can take preventive
action: firewalls, blacklisting IPs, requiring strong authentication.

One interesting question is, is it possible that there were software
upgrades pending (ie, the server executables and configuration files
had been upgraded, but the daemons not restarted)?  I'm a little
surprised that a "hard hit" wasn't followed up when your servers went
back online, but it's possible that they were attacking known
weaknesses of particular versions of certain applications.  Of course
it's also possible they just went on to the next target on a list.

 > What (if anything) are folks doing to protect against such events?

Many things, but it depends on just what "events" shut you down.

- What were the attackers "trying"?  To subscribe?  To post?  To
  access list archives?  To receive subscriber lists?  Something else?

- How often did they "hit" (access) each list and each URL?

- What resources did your system run out of?  Disk?  CPU?  Network
  bandwidth?