North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMTP in distributed DOS
Not exactly a solution, but a fix is using a program like SpamProtect or SpamControl (even on a server that is not open to relays). Our mail servers will locally blackhole IPs from mail servers sending us far too much mail in far too short a time period. Certain large mail servers have higher thresholds. In the unlikely case a server (or several) are blackholed, our NOC is notified by the mail server for a human-intervention decision. This does not break legitimate SMTP mail, except possibly from the abused mail servers, and is context-sensitive filtering. Deepak Jain AiNET On Sun, 20 Feb 2000, Dirk Harms-Merbitz wrote: > > SMTP bounces can be used in yet another form of Denial Of Service attack. > > Just imagine what happens when some script kiddie uses a few ten > thousand trojaned cable/dsl connected home computers to send email > to tens of thousands of domains and they all bounce back to your > mail server! > > Why don't we all just turn SMTP bounces OFF? Like return-receipts, > the information content in bounces is very low. > > A database would be much more efficient if you just want to know > wether an email address is spelled correctly. Resending the entire > message after adding a few hundred bytes is just idiotic. Escpecially > if the attacker only has to send one message to generate 100 bounces. > > We are currently seeing this first hand: Our real mail.power.net is > at 207.151.19.8. The attacker is sending individualized emails with > faked headers that contain "mail.power.net (unverified [209.26.14.22])". > > The recipient computers are dumb enough to send their bounces to > the real mail.power.net. > > This is a DOS because the innocent mail server a) gets millions of > bounces and b) might get black listed on various "anti-spam" lists. > > Dirk > > > Received: from mail.power.net (unverified [209.26.14.22]) by mee.yjapt.co.kr > (EMWAC SMTPRS 0.83) with SMTP id <[email protected]>; > Mon, 21 Feb 2000 01:20:18 +0900 > Message-ID: <[email protected]> > From: [email protected] <[email protected]> > Bcc: > Subject: Private Consultants Needed for Venture Capital Firm > Date: Mon, 30 Mar 1998 10:04:48 -0400 (EDT) > >
|