USG310 Block incoming request of SMTP flood

weite · November 2019

Hello community!

I've following constellation. A USG310 with three WAN ports. All WAN IP's are listed in the DNS for the MX record. The SMTP port is forwarded to a Mailserver/ SPAM filter.

Now my Problem. Since last week I've many request from a botnet. At first I've blocked over the GEO IP but now I've many request from germany and I can't block all this IPs manually. How can I setup a automatic blocking of IPs that have many requests?

A little push in the right direction would help me! Thanks!

PeterUK · November 2019

Really there is no way to block unwanted traffic from wanted traffic.

Do you know if its a port scan or full connect to the server?

If the bot net is doing a port scan per number of ports from one IP and there is no ACK after they send a SYN and you send a SYN, ACK you can use the ADP with scan detection set block period to 3600 for portscan TCP.

weite · November 2019

It is a full connect to the Server but will discarded from the DNSBL. A lot of connections per second from different ip addresses.

When it's not possible to block this than it's so.The DNSBL works.

Thanks for your answer!

mMontana · November 2019

AFAIK, the only way to "limit" connections can be set on NAT Sessions, but no parameters can be set except the default number of the sessions or a custom one for a single host.

Also, due to SMTP way to connect, the goal is to have the whole internet to connect to your mailserver, not a whitelist one. So USG IMVHO can not be a good way to manage connections.

Your MTA should have capabilities to discard unwanted connections, and deferring (not refusing) connections when resources of the system or the connection are limited.eMail were never intended as real-time communication, nor is it today.

USG310 Block incoming request of SMTP flood

All Replies

Categories

Security Highlight

Security Help Center