Without doubt the biggest management headache I have with ASSP is the
SSL/TLS DDoS feature.

When SSL fails, for whatever reason:

Aug-14-19 14:48:09 [Worker_2] Error: Worker_2 accept_SSL to client
111.222.333.444 failed IO::Socket::SSL=GLOB(0x1089bb828) (timeout: 5 s)
: SSL accept attempt failed because of handshake problems
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

All subsequent secure connection attempts from that IP address are
blocked for the next 12 hours:

Aug-14-19 14:48:09 [Worker_2] Error: Worker_2 accept_SSL to client
111.222.333.444 denied - the client failed before on SSL/TLS

The TLS/SSL DDoS mitigation feature is great...but this causes huge
headaches for me when I have an office full of people, and ONE client PC
(phone, fax machine, whatever) misbehaves. The result is that it locks
out the entire office from being able to send email for 12 hours. You
can imagine the angry calls I get.

This happens once or twice a week. Sometimes the misbehaving SMTP client
is intermittent, and we are NEVER able to find out which one it is.

I can put the client's IP into noBanFailedSSLIP, but this is a temporary
fix - because most of the clients are on connections which have
dynamically assigned IP addresses, and the next time their router
renegotiates, they get a new IP address and are blocked once again.

What I'd love to see is a "client must have failed x number of times in
a row before being blocked" parameter. That would stop a big DDoS
attack, but a successful SSL/TLS negotiation would reset the counter, so
that we don't have an IP representing 40 users being blocked because of
a misbehaving fax machine.

Assp-test mailing list

Reply via email to