Is such an SSL attack possible against Postfix?
in [Postfix]
|
Prev: What is the proper way to deal with non-existing e-mail addresses?
Next: Info about another listening port on Postfix 2.3.3
From: Ansgar Wiechers on 21 Jul 2010 09:01 On 2010-07-21 Daniel V. Reinhardt wrote: >> From: Ralf Hildebrandt <Ralf.Hildebrandt(a)charite.de> >> To: postfix-users(a)postfix.org >> Sent: Wed, July 21, 2010 5:00:16 AM >> Subject: Is such an SSL attack possible against Postfix? >> >> http://blog.fefe.de/?ts=b2b8f9f8 >> sorry, it's in german. I'll translate some bits: >> >> Sombody went to Torrent trackers and announced blog.fefe.de:443 as >> Torrent client (for a really popular download I guess). >> >> Thus, blog.fefe.de:443 got flooded with torrent-client traffic on >> the SSL port. >> >> Port 25 outgoing will be blocked by most ISPs, but let's assume >> that's not done by all IPS. It would work with the submission port! > > In my opinion the port really doesn't matter. If the IP is up and > fully operational and you send enough traffic to it then yes a DDoS is > going to happen. If the port isn't open it will just say connection > refused, but get enough traffic to saturate that bandwidth to the > server, and the link will go down. > > So in this instance you would only be able to protect yourself via TCP > and UDP Flood Protection on your IDS and HIPS systems or other > firewall tools. The issue with this attack is that it might exhaust CPU resources on the server without having to saturate the bandwidth, due to cryptographic operations required by SSL. And that it seems to use BitTorrent as a multiplicator, so it doesn't require a botnet. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
From: Ralf Hildebrandt on 21 Jul 2010 09:03 * Ansgar Wiechers <lists(a)planetcobalt.net>: > The issue with this attack is that it might exhaust CPU resources on the > server without having to saturate the bandwidth, due to cryptographic > operations required by SSL. Correct. > And that it seems to use BitTorrent as a multiplicator, so it doesn't > require a botnet. It brings it's own botnet :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Wietse Venema on 21 Jul 2010 09:31 Ralf Hildebrandt: > * Ansgar Wiechers <lists(a)planetcobalt.net>: > > > The issue with this attack is that it might exhaust CPU resources on the > > server without having to saturate the bandwidth, due to cryptographic > > operations required by SSL. > > Correct. > > > And that it seems to use BitTorrent as a multiplicator, so it doesn't > > require a botnet. > > It brings it's own botnet :) And thus, Postfix's botnet defenses kick in. With port 25 and 587, the session won't even get to the TLS handhake. Postfix will go into "stress mode" and hang up after the first SMTP error. Just pray that there is a newline character somewhere in the client TLS HELLO packet. Wietse
From: Charles Marcus on 21 Jul 2010 11:11 Jonathan Tripathy wrote: >> Any ISP that does *not* block port 25 for residential service is a part >> of the spam/zombie problem, and if yours doesn't, you should complain, >> loudly if necessary, and encourage them to block it. > Every ISP in the UK? Every one that is not, at a bare minimum, closely monitoring it for botnet traffic *and* *immediately* shutting down infected IPs, then yes, absolutely... But, since most residential users have no need to send/receive email directly over port 25, it is *much* easier (and more effective) to just block it for designated subnets, so they only have to worry about monitoring those that they *know* will be using it (because they specifically asked for it). > I beg to disagree. Blocking port 25 is a violation of Net Neutrality. Ridiculous, net neutrality has nothing to do with service level agreements. Residential service does not in any way, shape or form equate to requiring full SMTP services to be able to run your own full blown mail server, nor does denying access to port 25 for 'normal' residential users impact their ability to access the internet or send/receive email. If you want that level of service, upgrade to a service that provides it, and that will be at least minimally monitored for abuse (it is in the ISPs best interest to avoid getting their IP addresses on blacklists).
From: Gordan Bobic on 21 Jul 2010 11:16
On Wed, 2010-07-21 at 11:11 -0400, Charles Marcus wrote: > Jonathan Tripathy wrote: > > I beg to disagree. Blocking port 25 is a violation of Net Neutrality. > > Ridiculous, net neutrality has nothing to do with service level > agreements. Residential service does not in any way, shape or form > equate to requiring full SMTP services to be able to run your own full > blown mail server, nor does denying access to port 25 for 'normal' > residential users impact their ability to access the internet or > send/receive email. > > If you want that level of service, upgrade to a service that provides > it, and that will be at least minimally monitored for abuse (it is in > the ISPs best interest to avoid getting their IP addresses on blacklists). Absolute nonsense. There are a lot of people who prefer to run their own mail servers, and they do so legitimately on residential-grade lines because they are cheaper than business ones. Either way, what you're wishing for isn't going to happen any time soon, and it's getting off topic. Gordan |