That's why Sandy suggested an IDS system. Software will recognize the attack, add the IP to the firewall, and you won't even know it happened until you wake up (hopefully, quite late since you are sleeping so much better with the IDS in place).
Dan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rainer Noa Sent: Friday, May 11, 2007 3:57 AM To: [email protected] Subject: AW: AW: [IMail Forum] hacking problem Hello Sandy, under heavy load (DOS-Attack) the automatic will not help! My experience showed that, the attacks always appears when I'm sleeping in my bed. Nobody can enter the IP in the firewall! Rainer :) -- i.A. Rainer Noa Projektmanager MilesTec AG Prager Ring 2 66482 Zweibrücken Fon: (06332) 479 00 30 Fax: (01212) 518 21 06 71 Mobil: (0171) 742 18 56 Email: [EMAIL PROTECTED] Sitz der Gesellschaft: Zweibrücken Handelsregister: Amtsgericht Zweibrücken HRB 1663 Z Vorsitzender des Aufsichtsrates: Rüdiger Burkart Vorstand: Oliver Reinking Steuer-Nr.: DE196797197 USt-IdNr.: 35.657.06220 -----Ursprüngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Sanford Whiteman Gesendet: Freitag, 11. Mai 2007 09:37 An: Rainer Noa Betreff: Re: AW: [IMail Forum] hacking problem > Blocking this and the thousands other IPs is a silly job. This is a > answer of a programmer with no experience in a real company. Nonsense. Blocking by IP is standard practice. One preferably blocks at the edge router or firewall; if not possible, block at the stack (OS) level on the host. Blocking at the application level and expecting an application to perform its own DoS backoff once a socket has been opened and handed up the chain is a losing battle. And waiting to see what POP3 *username* is being attempted is a completely ignorant anti-DoS tactic. The fact is that this harvesting method, when used against applications with a low max concurrent connections, is a DoS attack. Even on very modern hardware, connection starvation is completely possible; I have seen it in the wild quite recently as a result of the same sort of traffic. Yes, the application-level measures like 'maximum failed logins' will work under mild load. If you only have a mild load, you don't have a DoS condition, however, so what's your primary worry? You might have a lone abuser trying to get into one *specific* account for targeted purposes (espionage or social mischief-making), and the application-level lockout is a worthy tactic against that scenario... because, by definition, such an attack is not happening in bulk. (And locking out a *specifically targeted* user because someone tried to compromise their account can give them nice dose of reality.) You can quite reasonably complain when a vendor drops support for any feature that's mildly useful. But to lament the loss of the weakest possible DoS protection -- that is, well within the same application that is being DoSed -- as if it were your only choice is technically foolish. Get an IDS/IPS and script it to hit your router, or even to update your Windows OS *stack-level* (IP Security) settings if you don't have access to your router or firewall. It's not like failed POP3 logins are difficult to detect; they're plain-text exchanges, a simple signature. If you want your app to go so deep as to consult its user database before rejecting an abusive connection, causing collateral damage even when it works at all, it's *you* who's missing the real-world experience of a DoS. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
