From: Ansgar Wiechers on
On 2010-07-21 Daniel V. Reinhardt wrote:
>> From: Ralf Hildebrandt <Ralf.Hildebrandt(a)charite.de>
>> To: postfix-users(a)postfix.org
>> Sent: Wed, July 21, 2010 5:00:16 AM
>> Subject: Is such an SSL attack possible against Postfix?
>>
>> http://blog.fefe.de/?ts=b2b8f9f8
>> sorry, it's in german. I'll translate some bits:
>>
>> Sombody went to Torrent trackers and announced blog.fefe.de:443 as
>> Torrent client (for a really popular download I guess).
>>
>> Thus, blog.fefe.de:443 got flooded with torrent-client traffic on
>> the SSL port.
>>
>> Port 25 outgoing will be blocked by most ISPs, but let's assume
>> that's not done by all IPS. It would work with the submission port!
>
> In my opinion the port really doesn't matter. If the IP is up and
> fully operational and you send enough traffic to it then yes a DDoS is
> going to happen. If the port isn't open it will just say connection
> refused, but get enough traffic to saturate that bandwidth to the
> server, and the link will go down.
>
> So in this instance you would only be able to protect yourself via TCP
> and UDP Flood Protection on your IDS and HIPS systems or other
> firewall tools.

The issue with this attack is that it might exhaust CPU resources on the
server without having to saturate the bandwidth, due to cryptographic
operations required by SSL. And that it seems to use BitTorrent as a
multiplicator, so it doesn't require a botnet.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

From: Ralf Hildebrandt on
* Ansgar Wiechers <lists(a)planetcobalt.net>:

> The issue with this attack is that it might exhaust CPU resources on the
> server without having to saturate the bandwidth, due to cryptographic
> operations required by SSL.

Correct.

> And that it seems to use BitTorrent as a multiplicator, so it doesn't
> require a botnet.

It brings it's own botnet :)

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hildebrandt(a)charite.de | http://www.charite.de


From: Wietse Venema on
Ralf Hildebrandt:
> * Ansgar Wiechers <lists(a)planetcobalt.net>:
>
> > The issue with this attack is that it might exhaust CPU resources on the
> > server without having to saturate the bandwidth, due to cryptographic
> > operations required by SSL.
>
> Correct.
>
> > And that it seems to use BitTorrent as a multiplicator, so it doesn't
> > require a botnet.
>
> It brings it's own botnet :)

And thus, Postfix's botnet defenses kick in. With port 25 and 587,
the session won't even get to the TLS handhake. Postfix will go
into "stress mode" and hang up after the first SMTP error. Just
pray that there is a newline character somewhere in the client TLS
HELLO packet.

Wietse

From: Charles Marcus on
Jonathan Tripathy wrote:
>> Any ISP that does *not* block port 25 for residential service is a part
>> of the spam/zombie problem, and if yours doesn't, you should complain,
>> loudly if necessary, and encourage them to block it.

> Every ISP in the UK?

Every one that is not, at a bare minimum, closely monitoring it for
botnet traffic *and* *immediately* shutting down infected IPs, then yes,
absolutely...

But, since most residential users have no need to send/receive email
directly over port 25, it is *much* easier (and more effective) to just
block it for designated subnets, so they only have to worry about
monitoring those that they *know* will be using it (because they
specifically asked for it).

> I beg to disagree. Blocking port 25 is a violation of Net Neutrality.

Ridiculous, net neutrality has nothing to do with service level
agreements. Residential service does not in any way, shape or form
equate to requiring full SMTP services to be able to run your own full
blown mail server, nor does denying access to port 25 for 'normal'
residential users impact their ability to access the internet or
send/receive email.

If you want that level of service, upgrade to a service that provides
it, and that will be at least minimally monitored for abuse (it is in
the ISPs best interest to avoid getting their IP addresses on blacklists).

From: Gordan Bobic on
On Wed, 2010-07-21 at 11:11 -0400, Charles Marcus wrote:
> Jonathan Tripathy wrote:
> > I beg to disagree. Blocking port 25 is a violation of Net Neutrality.
>
> Ridiculous, net neutrality has nothing to do with service level
> agreements. Residential service does not in any way, shape or form
> equate to requiring full SMTP services to be able to run your own full
> blown mail server, nor does denying access to port 25 for 'normal'
> residential users impact their ability to access the internet or
> send/receive email.
>
> If you want that level of service, upgrade to a service that provides
> it, and that will be at least minimally monitored for abuse (it is in
> the ISPs best interest to avoid getting their IP addresses on blacklists).

Absolute nonsense. There are a lot of people who prefer to run their own
mail servers, and they do so legitimately on residential-grade lines
because they are cheaper than business ones.

Either way, what you're wishing for isn't going to happen any time soon,
and it's getting off topic.

Gordan