SMTP outside of fw-rules?

Hi Peter,

maybe your rule to drop that traffic don’t work properly. Did you validate that? Maybe show how you designed that.

Btw I think depending on the size of the attack you need support of a provider at backbone level or CDN.

Best regards 

Alex 

Hi Peter,

maybe your rule to drop that traffic don’t work properly. Did you validate that? Maybe show how you designed that.

Btw I think depending on the size of the attack you need support of a provider at backbone level or CDN.

Best regards 

Alex 

Hi Alex

Thanks for the answer

I use UTM Firmware version 9.700-5

The fw-rule:

Sources: the Network
Services: Any
Destinations: Any
Action: Drop
Time Period: Always

In the fw-log i can see all drops from this network to syn on ports like 80/443/22
I dont see any drops of syn to smtp tcp-ports (25/465/587)
And the LAN Connections screen has a lot of SYN_RECV from this network with smtp tcp-port 25/465/587

At the moment, the attack has stopped

Regards

Peter

Hi Peter,

according to the function of the UTM, see Rule #2 https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

the proxy will grab the connection before the firewall rules apply. Try a blackhole DNAT. (At the moment I have no example ready, try a search in the forum. There are some examples for sure)

Best regards 

Alex 

That should fit: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/41512/blocking-a-hacker

Btw did you configure the option TCP-SYN-Flood under Anti-DOS?

TCP-SYN-Flood: yes

I understood this
I have now configured the DNAT rule with one exception:
I created the fw-rule manually and instead of an allow I defined a drop. So the syn is not routed to default.
The problem is solved for me
Thanks and greetings from Switzerland