Last week the pop3 service of our mail server running NetBSD 4.0
was hit by a password guessing attack. The connection rate was so
high that the service was disabled immediately.
Jul 4 18:19:28 mail inetd[14963]: pop3/tcp max spawn rate (200 in 60
seconds) exceeded; service not started
Since inetd was running with libwrap connection logging (-l) I
added the attackers ip address to /etc/hosts.deny and restarted
the inetd daemon. But it didn't help. I saw in /var/log/authlog
that connections were refused.
Jul 4 18:29:25 mail inetd[8924]: refused connection from xxx.xxx.xxx.xxx,
service pop3 (tcp)
But after some seconds the pop3 service was down again.
Jul 4 18:29:28 mail inetd[9003]: pop3/tcp max spawn rate (200 in 60 seconds)
exceeded; service not started
It seems the that the connections refused by libwrap were also
counted in the sense of maximum number of server instances that
may be spawned from inetd within an interval of 60 seconds.
If so libwrap is not usefull to prevent dos attacks.