Sendmail crushed under botnet attacks
Each night, sometime between 23:00 and 03:00 CST, our new MX server gets CRUSHED by botnet attacks from Poland. We've tried the both the sendmail shipped with Solaris 10 (sparc) and compiling our own. We've tried setting the confMAX_DAEMON_CHILDREN to anything from 500 to 200. We've tried setting the confCONNECTION_RATE_THROTTLE from 50 to 10. The load on the server never really gets above 1.0 or so, so DELAY_LA and REFUSE_LA never come into effect. With the Sun shipped and patched sendmail and logging cranked up to 12, we were getting the "found 201 children, expecting 200" error. We don't see this with the sendmail.org version 8.13.9. Two older Sun boxes (2.8) running Solaris 8.12.9 hum along happily, simply refusing connections until the storm passes. I'm starting to really dislike Solaris 10 and sendmail. I've never been a fan of sendmail, but that's not really my choice. I'm tempted to reinstall the machine with solaris 2.9, just to see if things improve. I'm hoping I don't have to do that. What tips do you have to help me track down the wound in our system?
