[27462] in North American Network Operators' Group
Re: SMTP in distributed DOS
daemon@ATHENA.MIT.EDU (Deepak Jain)
Sun Feb 20 16:12:43 2000
Date: Sun, 20 Feb 2000 16:08:05 -0500 (EST)
From: Deepak Jain <deepak@ai.net>
To: Dirk Harms-Merbitz <dirk@power.net>
Cc: qmail@list.cr.yp.to, nanog@merit.edu, bugtraq@securityfocus.com
In-Reply-To: <20000220110421.A16950@noc.power.net>
Message-ID: <Pine.BSF.4.21.0002201605490.13593-100000@aries.ai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Not exactly a solution, but a fix is using a program like SpamProtect or
SpamControl (even on a server that is not open to relays). Our mail
servers will locally blackhole IPs from mail servers sending us far too
much mail in far too short a time period. Certain large mail servers have
higher thresholds.
In the unlikely case a server (or several) are blackholed, our NOC is
notified by the mail server for a human-intervention decision.
This does not break legitimate SMTP mail, except possibly from the abused
mail servers, and is context-sensitive filtering.
Deepak Jain
AiNET
On Sun, 20 Feb 2000, Dirk Harms-Merbitz wrote:
>
> SMTP bounces can be used in yet another form of Denial Of Service attack.
>
> Just imagine what happens when some script kiddie uses a few ten
> thousand trojaned cable/dsl connected home computers to send email
> to tens of thousands of domains and they all bounce back to your
> mail server!
>
> Why don't we all just turn SMTP bounces OFF? Like return-receipts,
> the information content in bounces is very low.
>
> A database would be much more efficient if you just want to know
> wether an email address is spelled correctly. Resending the entire
> message after adding a few hundred bytes is just idiotic. Escpecially
> if the attacker only has to send one message to generate 100 bounces.
>
> We are currently seeing this first hand: Our real mail.power.net is
> at 207.151.19.8. The attacker is sending individualized emails with
> faked headers that contain "mail.power.net (unverified [209.26.14.22])".
>
> The recipient computers are dumb enough to send their bounces to
> the real mail.power.net.
>
> This is a DOS because the innocent mail server a) gets millions of
> bounces and b) might get black listed on various "anti-spam" lists.
>
> Dirk
>
>
> Received: from mail.power.net (unverified [209.26.14.22]) by mee.yjapt.co.kr
> (EMWAC SMTPRS 0.83) with SMTP id <B0000119229@mee.yjapt.co.kr>;
> Mon, 21 Feb 2000 01:20:18 +0900
> Message-ID: <12PAIZTiA2Vyp.5wFyFudzDR_N8@mail.power.net>
> From: FinancialJobs70972@power.net <FinancialJobs70972@power.net>
> Bcc:
> Subject: Private Consultants Needed for Venture Capital Firm
> Date: Mon, 30 Mar 1998 10:04:48 -0400 (EDT)
>
>
