Greg Owen writes:
> > Yup. If you have one qmail box forwarding to a second qmail box
> > which is the mail store, you get this amplification.
>
> No, you don't get any amplification. You only get amplification if
> you can get someone else's machine to expend resources that you
> didn't.
Yes, there is amplification. It does work, I have tested it, what
follows is a description of how it works.
Given a qmail box which relays mail to one other box (qmail,
exchange, sendmail, whatever), a malicious user can generate N messages of
size X (N * X) with the use of (N * sizeof(rcpt to)) + X. Note that
sizeof(rcpt to) is miniscule compared to the possible values for X.
Let's say you own qmail box mx10.example.com, and mx10.example.com
relays to mx5.example.com as the final mail store. It has no knowledge of
users; it just forwards as defined by MX records or smtproutes. Let's also
say I am at dialup06.msn.com, and that I'm pissed at heaven.af.mil.
If I (at dialup06.msn.com) connect to mx10.example.com, I can use a
MAIL FROM that points to [EMAIL PROTECTED]:
MAIL FROM: <[EMAIL PROTECTED]>
I can then enter 100 RCPT TOs, all pointing to invalid users for the
valid domain example.com, which MX10 accepts mail for:
RCPT TO: <[EMAIL PROTECTED]>
RCPT TO: <[EMAIL PROTECTED]>
...
RCPT TO: <[EMAIL PROTECTED]>
This costs me 100 * 28 bytes, or under 3k.
Now I send a 1 megabyte DATA segment.
The total cost to me, on my dialup line, is 1 meg + 3k.
mx10.example.com then sends that message to mx5.example.com, but
instead of aggregating the RCPT TOs, it sends it 100 times, with one RCPT TO
per message. Presumably mx10 and mx5 are connected by LAN not WAN, so this
is not a problem for the example.com network.
But upon reaching mx5.example.com, each one of these messages
bounces because u001 through u100 do not exist at example.com. Example.com
then sends 100 bounce messages, EACH CONTAINING A 1 MEG ATTACHMENT, to
[EMAIL PROTECTED] This imposes a 100 megabyte traffic hit on the
relatively lower bandwidth WAN lines of example.com and heaven.af.mil.
Therefore, I have amplified my force from 1meg + 3k to over 100 meg. Note
that this scales at the cost of 28 bytes per 1 meg of amplified force, and
that the amount of force amplified (the 1 meg) is also able to scale up (a 5
meg file, for example, is tedious but possible from a dialup line).
If both example.com and heaven.af.mil have a T1 line, then this
attack DOSes both of them equally (at little cost to lil ole me @ msn.com).
If example.com has a T3 compared to heaven.af.mil's T1, or if I can find
more than one bounce-relay victim (example1.com, example2.com, etc.) then I
can hit heaven.af.mil hard enough to saturate its T1 link. (Forget
downloading the MAPS list; go to qmail.org and then probe the list of "large
internet sites using qmail" to see which ones have more than one mail hop.
How do you probe? Send an email to a made up address and study the
Received: headers of the bounce.)
The point that the original ORBS quote apparently tried to make is
that other MTAs (like sendmail) which would forward the message once with
the 100 RCPT TO lines, and bounce it once with 100 "User <[EMAIL PROTECTED]>
not known" only adds the slight overhead of the bounce text, and are
therefore not effective in this type of attack. I don't play with sendmail
any more, and can neither confirm nor deny this understanding.
--
gowen -- Greg Owen -- [EMAIL PROTECTED]
