Re: Sendmail + DoS???
- From: "René Berber" <rberber@xxxxxxxxxxxxxxx>
- Date: 29 Aug 2006 11:52:37 -0700
grpprod wrote:
[snip]
I have found a solution, though. After increasing the log level and[snip]
carefully examining the behaviour of the server for those mails, I have
found that 'hanging' occurs just after the 354 response (ie. after 'DATA').
So I used the following, which enforces a timeout at this stage:
define(`confTO_DATAINIT', `1m')dnl
define(`confTO_DATABLOCK', `1m')dnl
This seems to solve the problem for me. I haven't used 'confTO_DATAFINAL'
You probably are looking at more than one problem, the first one was a
kind of dictionary attack where they are testing names to see which one
is accepted. Throtle and connection rate limit are solutions for that.
The second problem is what you describe above, with a valid recipient,
sendmail responded OK send me the message and waits, if the other side
doesn't send anything then the connection is left open. But the same
server cannot open more than the allowed number of simultaneous
connections, so you only have those left open unless you get the same
treatment from a different IP or the same one waits the 1 minute.
I use milter-error to stop the kind of dictionary attacks that include
a valid recipient. It's not 100% effective because milter-error counts
errors, and one connection could try to deliver several messages and
each message usually includes several recipients (not each unknown
address counts as an error, only the whole message), so they get to
test at least a dozen names until 3 errors are counted (that's the
parameter I use) and milter-error finally stops them. Some times they
do get to deliver some spam before they are stopped. But I've never
seen them not trying to deliver something like you describe.
Your solution plus milter-error could stop the case where the attacker
does its job slowly (and thus can avoid connection rate limit).
Milter-error just needs to see that an error happened.
Another option, which requires much more work because it's not
automated, is to black-list those servers. In access db just add
"Connect:IP-of-attacker REJECT". The same could be done with
tcp-wrappers (if sendmail was compiled with support for that).
Again a combination of your solution and tcp-wrappers could be used to
automate the blacklist, i.e. a process watches the mail log and when a
message shows that somebody did trip the start data delivery timeout, a
counter can be incremented and when the counter reaches a limit the IP
can be added to /etc/hosts.deny; after some time hosts.deny can be
cleaned (I'm describing how DenyHosts works for ssh).
--
René Berber
.
- References:
- Sendmail + DoS???
- From: grpprod
- Re: Sendmail + DoS???
- From: René Berber
- Re: Sendmail + DoS???
- From: grpprod
- Re: Sendmail + DoS???
- From: René Berber
- Re: Sendmail + DoS???
- From: grpprod
- Sendmail + DoS???
- Prev by Date: Re: Setting up SMTP Auth
- Next by Date: Re: Setting up SMTP Auth
- Previous by thread: Re: Sendmail + DoS???
- Next by thread: Strange output from a logging rule
- Index(es):
Relevant Pages
|
