数千个 25 端口连接

tag-icon tag-icon smtp email-server tcpip
数千个 25 端口连接

今晚,几个 IP 地址在邮件服务器的 25 端口上建立了近 2500 个连接。2500 是最大限制,同时连接数不超过 50 个是正常的。建立连接后,它们什么也没做。这些 IP 地址属于 Facebook 外发邮件服务器,但当然它们可能是伪造的。有人遇到过这样的事情吗?有什么好方法可以防止这种情况发生吗?

"TCPIP" 3808 "2013-04-12 21:37:19.787" "TCP - 66.220.155.135 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.787" "TCP - 66.220.155.137 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.819" "TCP - 66.220.144.163 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.819" "TCP - 66.220.144.137 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 69.171.232.166 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.155.138 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.155.154 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.850" "TCP - 66.220.144.150 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.161 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.157 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 69.171.232.142 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.865" "TCP - 66.220.155.152 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.147 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.139 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.928" "TCP - 66.220.155.161 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.943" "TCP - 66.220.155.154 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.943" "TCP - 66.220.155.159 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.959" "TCP - 66.220.144.166 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.975" "TCP - 66.220.144.155 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:19.990" "TCP - 69.171.232.163 connected to 12.186.192.3:25."
"TCPIP" 3808 "2013-04-12 21:37:20.006" "TCP - 66.220.155.147 connected to 12.186.192.3:25."

答案1

因为你可以知道服务器属于谁:

  1. 进行 tcpdump,显示与邮件服务器的连接建立和初始交换
  2. 给维护服务器的组织的滥用/技术联系人写一封邮件
  3. 将来自“麻烦”服务器的传入连接速率限制为合理的值,这样它们就不会影响您接收其他邮件的能力
  4. 中断“挂起”的连接,例如通过重新启动邮件服务器
  5. 通知用户,只要问题未得到解决,来自 @facebook.com 的邮件可能会延迟到达,甚至根本不会到达

答案2

看起来您的 smtp 服务器正遭受某种拒绝服务攻击,源 IP 很可能是伪造的,即被欺骗(如果我要对服务器进行 DoS 攻击,我就会这样做)。最好的策略是部署 IP 过滤来阻止这些地址,直到攻击消失。

相关内容