Hello Stephan, well done! This is the real answer.
We are a small b2b-marketplace and we are not interested in a big, expensive solution. Kind regards Rainer J Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stephan Gesendet: Freitag, 11. Mai 2007 15:44 An: [email protected] Betreff: Re: AW: [IMail Forum] hacking problem The failed login is not to mitigate DoS attacks but to avoid accounts being hacked into. I agree that DoS is better handled at the router/firewall server, but this is a separate issue. Also imail is a small business application, with the assumption that is should have automated tools to help with the administration of the server. If we were dealing with a large scale DoS attack then we would most likely work at the router level with our provider to block it, but in most other cases we need something far simpler than that. There are a lot of applications that have lockout capabilities built-in. For example the open source filezilla ftp server has a built-in blocking of ip addresses after x number of failed login. The administrator can set how many attempts triggers the lock and how long the lock lasts. The idea of blocking by ip address is good, but an attack could also be coming from a botnet with no fixed ip address to block. And anyway, this used to be a feature in imail 8.x so I am really baffeled that they forgot to include it in 2006. -----Original Message----- From: "Sanford Whiteman" <[EMAIL PROTECTED]> Sent 5/11/2007 3:36:52 AM To: "Rainer Noa" <[email protected]> Subject: Re: AW: [IMail Forum] hacking problem > Blocking this and the thousands other IPs is a silly job. This is a > answer of a programmer with no experience in a real company. Nonsense. Blocking by IP is standard practice. One preferably blocks at the edge router or firewall; if not possible, block at the stack (OS) level on the host. Blocking at the application level and expecting an application to perform its own DoS backoff once a socket has been opened and handed up the chain is a losing battle. And waiting to see what POP3 *username* is being attempted is a completely ignorant anti-DoS tactic. The fact is that this harvesting method, when used against applications with a low max concurrent connections, is a DoS attack. Even on very modern hardware, connection starvation is completely possible; I have seen it in the wild quite recently as a result of the same sort of traffic. Yes, the application-level measures like 'maximum failed logins' will work under mild load. If you only have a mild load, you don't have a DoS condition, however, so what's your primary worry? You might have a lone abuser trying to get into one *specific* account for targeted purposes (espionage or social mischief-making), and the application-level lockout is a worthy tactic against that scenario... because, by definition, such an attack is not happening in bulk. (And locking out a *specifically targeted* user because someone tried to compromise their account can give them nice dose of reality.) You can quite reasonably complain when a vendor drops support for any feature that's mildly useful. But to lament the loss of the weakest possible DoS protection -- that is, well within the same application that is being DoSed -- as if it were your only choice is technically foolish. Get an IDS/IPS and script it to hit your router, or even to update your Windows OS *stack-level* (IP Security) settings if you don't have access to your router or firewall. It's not like failed POP3 logins are difficult to detect; they're plain-text exchanges, a simple signature. If you want your app to go so deep as to consult its user database before rejecting an abusive connection, causing collateral damage even when it works at all, it's *you* who's missing the real-world experience of a DoS. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
