On 2010-07-21 Daniel V. Reinhardt wrote: >> From: Ralf Hildebrandt <ralf.hildebra...@charite.de> >> To: postfix-users@postfix.org >> Sent: Wed, July 21, 2010 5:00:16 AM >> Subject: Is such an SSL attack possible against Postfix? >> >> http://blog.fefe.de/?ts=b2b8f9f8 >> sorry, it's in german. I'll translate some bits: >> >> Sombody went to Torrent trackers and announced blog.fefe.de:443 as >> Torrent client (for a really popular download I guess). >> >> Thus, blog.fefe.de:443 got flooded with torrent-client traffic on >> the SSL port. >> >> Port 25 outgoing will be blocked by most ISPs, but let's assume >> that's not done by all IPS. It would work with the submission port! > > In my opinion the port really doesn't matter. If the IP is up and > fully operational and you send enough traffic to it then yes a DDoS is > going to happen. If the port isn't open it will just say connection > refused, but get enough traffic to saturate that bandwidth to the > server, and the link will go down. > > So in this instance you would only be able to protect yourself via TCP > and UDP Flood Protection on your IDS and HIPS systems or other > firewall tools.
The issue with this attack is that it might exhaust CPU resources on the server without having to saturate the bandwidth, due to cryptographic operations required by SSL. And that it seems to use BitTorrent as a multiplicator, so it doesn't require a botnet. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
