[courier-users] Dictionary attacks (was: Zombies blocking my smtp

Tue, 16 Mar 2010 01:57:14 -0700 

On 18/Apr/09 21:34, Sam Varshavchik wrote:
> The real value-added is when an existing connection gets blocked. 
> Blocking the inbound packets causes the connection to stall until it 
> times out. Blocking the outbound packets, with REJECT, rather than drop, 
> should end up clearing the socket immediately on the server side.

It works! It doesn't happen very often, but sometimes someone gets a hold on 
the daemon and tries various userid/passwords. (I have to note that, from the 
log I saw, existing attacks are not "serious" at all, since the user names 
tried were not real ones. Presumably they are just testing that software.)

To recap, with naive setup, MAXPERIP=64 and tarpit enabled, someone tried 5000 
user/password pairs in 5 minutes.

Blocking new connections from specific addresses that caused a number of LOGIN 
FAILED, still allowed someone to try 600+ pairs in a single connection.

In January I configured the server for blocking existing connections and 
yesterday it fired. I have

# iptables -vL OUTPUT
Chain OUTPUT (policy ACCEPT 8908K packets, 4890M bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
   27  1266 REJECT     tcp  --  any    any     anywhere             anywhere    
        tcp flags:!FIN,SYN,RST,ACK/SYN mark match 0x4 reject-with tcp-reset 

Not sure if those 27 packets were from different connections.
It blocked a few hundred packets from that IP, since February

# ibd-del -Lv
             IP  CREATED   PROB.  BLOCKED    PACKETS  UPDATED      DECAY  
THRESHOLD     CAUGHT DESCRIPTION
 218.xx.xxx.xxx Feb-2010 100.00% 15-02:10        477 15-02:10        270        
  5        109 dictionary attack


Now for an interesting question: how do we handle _distributed_ dictionary 
attacks?


































------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to