>We are in the midst of a security audit performed by Ernst & Young.
>They are claiming something about a DOS situation. What I need to
>find out is whether there are any known DOS situations out there.
>If so what needs to be done to take care of the problem.
Andy,
The standard DoS is to open lots of SMTP connections to an SMTP server,
which could be qmail, or any other MTA - and leave them open. Since
[vanilla] SMTP is not authenticated, this attack could be initiated from
anywhere. It's unlikely that you'd be able to knock out a whole machine
like this (tcpserver gives the -c option to limit the no. of connections, and
even inetd has a crappy way of limiting connections), but you would be
able to DoS SMTP on a machine (the attacker continues to setup lots
of SMTP connections to force the MTA to its SMTP connection limit, so
that anyone else trying to establish an SMTP connection is likely to fail).
The normal way to reduce the effect of this potential attack is to think
carefully about your setup - maybe you can separate SMTP into "Ingoing"
and "Outgoing" - the latter for, say, the office network only. Then setup
separate tcpserver processes (different IPs) for both, filtered accordingly.
Additionally, you can use other tools like POP3-before-SMTP.
cheers,
Andrew.
