DOS Attack from Bulgaria

Submitted by tarvid on Wed, 02/15/2017 - 09:55

Web server down for a few minutes yesterday around 10:45. Found several attacks on mail and web server. The attacks came from a Windows Remote Desktop Server in Bulgaria with no other ports open.

It is likely the Bulgarian server was compromised and the culprit could have been anywhere. There is a black market in compromised IPs (Internet Protocol addresses) which can be bought for a few pennies each.

After a restart of the web server, the attacker disappeared and normal service resumed. 

Dictionary attacks are common. Today's come from China. The mail server gets probed looking for an open relay. The ftp server gets dozens of attempted connections. Fortunately, these get rejected but there is still a burden on the server. Fortunately, passwords are generally secure. I am considering a PKI (Public Key Infrastructure) approach which will cause some inconvenience to FTP users.

The server employs a 40,000+ block list updated weekly. I could add more or even widen the individual entries to broader blocks.