From: "Perry E. Metzger" <perry@piermont.com>
Date: Fri, 13 Sep 1996 15:36:10 +0800
To: M C Wong <mcw@hpato.aus.hp.com>
Subject: Re: PANIX.COM down: denial of service attack
In-Reply-To: <199609130416.AA198858212@relay.hp.com>
Message-ID: <199609130421.AAA09822@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



M C Wong writes:
> > >            Can't access to this port be guarded against by a filtering
> > > 		 router which is configured to accept *only* a number of
> > > 		 trusted MX hosts ?
> 
> > Sure -- if you only want to accept mail from fifteen machines on
> > earth. If on the other hand your users might get mail from anywhere on
> > earth, your mail ports have to be open to connections from anywhere.
> 
> No, I am saying that we use MX field in DNS to specify our MX hosts, so
> other hosts from anywhere else will timeout connecting to the target smtp
> while trying to deliver mails directly to it, and hence will have to send 
> the message to next best MX host instead, and the firewall is configured 
> to permit access *only* from those MX hosts.
> 
> The problem here becomes how one can protect all those MX hosts instead.

You can't. All you are doing is moving the problem. I don't see how
that could be of any possible interest. The machines in question are
already the MX hosts for the zone.

Perry