On Wed, Jan 07, 2009 at 02:54:33PM +0900, Christian Balzer wrote:
Hello and a happy new year,
a couple of days ago one of our perdition servers exceeded the 1024 pop3
connections limit configured (normal usage is about 30-50 parallel
connections). I turned out that all these connections had been eaten up
by some customer trying to pop his email from China and instead of firing
off a connection every 2 minutes things seemed to fail on his end and
groups of 3-6 parallel connects (which failed in turn again) came hurtling
in.
We have been using perdition for over 4 years and have a huge customer
base with over 1.5 million pop3 connects per day and never seen anything
like this, so my guess here is that this is not (purely) a client thing
but that the grate(sic) firewall of China is involved, too.
Anyways, this is a typical example:
---
Jan 7 12:15:10 pp12 perdition[16881]: Connect: 218.1.143.164->203.216.5.113
Jan 7 12:15:10 pp12 perdition[16886]: Connect: 218.1.143.164->203.216.5.113
Jan 7 12:15:10 pp12 perdition[16889]: Connect: 218.1.143.164->203.216.5.113
Jan 7 12:38:19 pp12 perdition[16881]: io_read: read: Connection timed out
Jan 7 12:38:19 pp12 perdition[16881]: __token_fill_buffer: error reading input:
Connection timed out
Jan 7 12:38:19 pp12 perdition[16881]: token_read: token_fill_buffer
Jan 7 12:38:19 pp12 perdition[16881]: read_line: token_read
Jan 7 12:38:19 pp12 perdition[16881]: pop3_in_get_pw: pop3_in_get_pw: read_line
Jan 7 12:38:19 pp12 perdition[16881]: main: protocol->in_get_pw
Jan 7 12:38:19 pp12 perdition[16881]: Fatal Error reading authentication information
from client "218.1.143.164->203.216.5.113 ": Exiting child
---
Aside from being a good starting measure against a DoS attack in general a
feature where one could set a timeout for the maximum time that a process
is allowed to be in "connect" state (I would set this to 1 minute or less)
would be a very welcome addition.
The problem I raised in
http://lists.vergenet.net/pipermail/perdition-users/2008-February/001973.ht…
would benefit (as in workaround) from such a feature, too.
Hi Christian,
that sounds like a very reasonable suggestion, and I suspect
something that wouldn't be too hard to add - though I haven't
inspected the relevant code paths recently.
--
Simon Horman
VA Linux Systems Japan K.K., Sydney, Australia Satellite Office
H:
www.vergenet.net/~horms/ W:
www.valinux.co.jp/en