Is such an SSL attack possible against Postfix?
in [Postfix]
|
Prev: What is the proper way to deal with non-existing e-mail addresses?
Next: Info about another listening port on Postfix 2.3.3
From: Ralf Hildebrandt on 21 Jul 2010 05:00 http://blog.fefe.de/?ts=b2b8f9f8 sorry, it's in german. I'll translate some bits: Sombody went to Torrent trackers and announced blog.fefe.de:443 as Torrent client (for a really popular download I guess). Thus, blog.fefe.de:443 got flooded with torrent-client traffic on the SSL port. Port 25 outgoing will be blocked by most ISPs, but let's assume that's not done by all IPS. It would work with the submission port! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Gordan Bobic on 21 Jul 2010 05:21 On Wed, 2010-07-21 at 10:02 +0100, Jonathan Tripathy wrote: > Port 25 outgoing will be blocked by most ISPs > ------------------------------------------------------------------ > > This may be the case in your country, but from where I'm from, I've > never had a problem sending out on port 25, even on home residental > ISPs :) My observation is the same. I am aware of only one "ISP" blocking outbound port 25, and that is Three, and from what I have been able to check, they only block for access from mobile phones. Of course, outbound port 587 isn't blocked. Back to the original point about SSL DDoS, you have to consider how SSL works for SMTP. The correct way to do SMTP encryption is via TLS, not SMTPS, which mean the connection gets set up without SSL, and then switches to TLS on protocol level. That means the client would have to know how to talk SMTP first, which BT clients don't. OTOH, if you are running SMTPS, then SSL would get established first, before the protocol connection is set up, so you would get hit with the SSL setup overheads. But you shouldn't be running SMTPS, it's very existence is an ill thought out hangover from the dark ages. Gordan
From: Charles Marcus on 21 Jul 2010 08:46 Jonathan Tripathy wrote: >> Port 25 outgoing will be blocked by most ISPs > This may be the case in your country, but from where I'm from, I've > never had a problem sending out on port 25, even on home residental > ISPs :) Any ISP that does *not* block port 25 for residential service is a part of the spam/zombie problem, and if yours doesn't, you should complain, loudly if necessary, and encourage them to block it.
From: "Daniel V. Reinhardt" on 21 Jul 2010 08:50 ----- Original Message ---- > From: Ralf Hildebrandt <Ralf.Hildebrandt(a)charite.de> > To: postfix-users(a)postfix.org > Sent: Wed, July 21, 2010 5:00:16 AM > Subject: Is such an SSL attack possible against Postfix? > > http://blog.fefe.de/?ts=b2b8f9f8 > sorry, it's in german. I'll translate some bits: > > Sombody went to Torrent trackers and announced blog.fefe.de:443 as > Torrent client (for a really popular download I guess). > > Thus, blog.fefe.de:443 got flooded with torrent-client traffic on the > SSL port. > > Port 25 outgoing will be blocked by most ISPs, but let's assume that's > not done by all IPS. It would work with the submission port! > All, In my opinion the port really doesn't matter. If the IP is up and fully operational and you send enough traffic to it then yes a DDoS is going to happen. If the port isn't open it will just say connection refused, but get enough traffic to saturate that bandwidth to the server, and the link will go down. So in this instance you would only be able to protect yourself via TCP and UDP Flood Protection on your IDS and HIPS systems or other firewall tools. Thanks, Daniel Reinhardt Website: www.cryptodan.com Email: cryptodan(a)yahoo.com
From: "Jonathan Tripathy" on 21 Jul 2010 08:52
Jonathan Tripathy wrote: >> Port 25 outgoing will be blocked by most ISPs > This may be the case in your country, but from where I'm from, I've > never had a problem sending out on port 25, even on home residental > ISPs :) Any ISP that does *not* block port 25 for residential service is a part of the spam/zombie problem, and if yours doesn't, you should complain, loudly if necessary, and encourage them to block it. ----------------------------------------------------------------------------------------------------------------------------- Every ISP in the UK? I beg to disagree. Blocking port 25 is a violation of Net Neutrality. Now, by default, the ISP do put their DSL (dynamic and static) IP addresses automatically on the RBL blacklist listed as a server which should not normally send email. To realistically send email from a dynamic IP, you need to remove yourself from that list, but you have to promise not to spam. Then, if you spam, you get put back on permanently |