Re: Mailman attack in progress
Glen <glen@amsl.com> Mon, 14 August 2017 03:09 UTC
Return-Path: <glen@amsl.com>
X-Original-To: ietf-announce@ietfa.amsl.com
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977CD1200C5 for <ietf-announce@ietfa.amsl.com>; Sun, 13 Aug 2017 20:09:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.701
X-Spam-Level:
X-Spam-Status: No, score=-3.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C670dvJg5h8s for <ietf-announce@ietfa.amsl.com>; Sun, 13 Aug 2017 20:09:00 -0700 (PDT)
Received: from mail.amsl.com (c8a.amsl.com [4.31.198.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76DCA12009C for <ietf-announce@ietf.org>; Sun, 13 Aug 2017 20:09:00 -0700 (PDT)
Received: from mail.amsl.com (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTPS id EA9BB1C2CBA for <ietf-announce@ietf.org>; Sun, 13 Aug 2017 20:08:36 -0700 (PDT)
Received: from mail-qt0-f169.google.com (mail-qt0-f169.google.com [209.85.216.169]) by c8a.amsl.com (Postfix) with ESMTPSA id B8D211C1B55 for <ietf-announce@ietf.org>; Sun, 13 Aug 2017 20:08:36 -0700 (PDT)
Received: by mail-qt0-f169.google.com with SMTP id p3so45693481qtg.2 for <ietf-announce@ietf.org>; Sun, 13 Aug 2017 20:09:00 -0700 (PDT)
X-Gm-Message-State: AHYfb5itrfn3u+xgZPenANXdkntn9klepi4FtAPeTgLKBcRZY1UlrP8Y o57BbaEkjB+1rWd4J+xjTZAymcMhCQ==
X-Received: by 10.237.37.45 with SMTP id v42mr32850753qtc.333.1502680139402; Sun, 13 Aug 2017 20:08:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.103.201 with HTTP; Sun, 13 Aug 2017 20:08:38 -0700 (PDT)
In-Reply-To: <CABL0ig7VW_eNC8qEiX0+a71if1L0FnxEJn6usssQu+1Ox5nQOQ@mail.gmail.com>
References: <CABL0ig7VW_eNC8qEiX0+a71if1L0FnxEJn6usssQu+1Ox5nQOQ@mail.gmail.com>
From: Glen <glen@amsl.com>
Date: Sun, 13 Aug 2017 20:08:38 -0700
X-Gmail-Original-Message-ID: <CABL0ig4UT4Ebfzdf2ce1vu-Q76Ei_A7Yk=q-fkGfDU8o2VWjeA@mail.gmail.com>
Message-ID: <CABL0ig4UT4Ebfzdf2ce1vu-Q76Ei_A7Yk=q-fkGfDU8o2VWjeA@mail.gmail.com>
Subject: Re: Mailman attack in progress
To: ietf-announce@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/C0GAK2D1lQQUJdv5orvx166r1Ro>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 03:09:01 -0000
A brief update on our Mailman attack. After analyzing the attack pattern, I've added a new long-term measure into Mailman that is preventing these botnet subscription attempts from being honored (whilst still allowing humans to subscribe). I then turned my attention to Cloudflare. After some experimentation (and manual-reading!) I discovered that - with a little custom crafting - one can actually use Cloudflare to mitigate this type of attack quite nicely. I inserted some custom rules that have all but halted the incoming flood completely. So Mailman subscription service is back online (for humans only!) and we appear to be back to normal. Thank you for your patience during this interruption. Glen -- Glen Barney IT Director AMS (IETF Secretariat)