Dealing with ftp attacks

[john.abreau at zuken.com (John Abreau)]

What's the recommended way of dealing with ftp attacks? 

We have an ftp server for supporting our customers, running vsftpd, 
and every once in a while it's come under attack from somewhere 
in China; the attacker slams the ftp port, showing an authentication 
failure every 3 seconds, continuously until the server locks up 
four hours later. 

It happened yesterday evening, and I had to waste a few hours 
driving into work to power-cycle the server. I set up a script 
to scan the logs hourly and page me if it detected an attack, 
and about an hour after I got home, at 2 am, I got a report of 
a second attack. 

I dealt with it by blocking the ip addresses with 

    route add -net 211.152.33.0/24 reject

which interrupted the attack before the server could lock up. 
And I just got yet another alert, a few minutes ago; these 
assholes seem determined to break in. 

One concern I have is that these routes will gradually 
clog up my routing table. Also, this machine is our external 
mail server, and we have customers in China, so I can't just 
block off all of China. 

-- 
John Abreau
IT Manager
Zuken USA
238 Littleton Rd., Suite 100
Westford, MA 01886
T: 978-392-1777            F: 978-692-4725
M: 978-764-8934
E: John.Abreau at zuken.com  W: www.zuken.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.blu.org/pipermail/discuss/attachments/20061002/317661c2/attachment.sig>