Is such an SSL attack possible against Postfix?
http://blog.fefe.de/?ts=b2b8f9f8 sorry, it's in german. I'll translate some bits: Sombody went to Torrent trackers and announced blog.fefe.de:443 as Torrent client (for a really popular download I guess). Thus, blog.fefe.de:443 got flooded with torrent-client traffic on the SSL port. Port 25 outgoing will be blocked by most ISPs, but let's assume that's not done by all IPS. It would work with the submission port! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
RE: Is such an SSL attack possible against Postfix?
Port 25 outgoing will be blocked by most ISPs --- This may be the case in your country, but from where I'm from, I've never had a problem sending out on port 25, even on home residental ISPs :) winmail.dat
RE: Is such an SSL attack possible against Postfix?
On Wed, 2010-07-21 at 10:02 +0100, Jonathan Tripathy wrote: Port 25 outgoing will be blocked by most ISPs -- This may be the case in your country, but from where I'm from, I've never had a problem sending out on port 25, even on home residental ISPs :) My observation is the same. I am aware of only one ISP blocking outbound port 25, and that is Three, and from what I have been able to check, they only block for access from mobile phones. Of course, outbound port 587 isn't blocked. Back to the original point about SSL DDoS, you have to consider how SSL works for SMTP. The correct way to do SMTP encryption is via TLS, not SMTPS, which mean the connection gets set up without SSL, and then switches to TLS on protocol level. That means the client would have to know how to talk SMTP first, which BT clients don't. OTOH, if you are running SMTPS, then SSL would get established first, before the protocol connection is set up, so you would get hit with the SSL setup overheads. But you shouldn't be running SMTPS, it's very existence is an ill thought out hangover from the dark ages. Gordan
Re: Is such an SSL attack possible against Postfix?
Jonathan Tripathy wrote: Port 25 outgoing will be blocked by most ISPs This may be the case in your country, but from where I'm from, I've never had a problem sending out on port 25, even on home residental ISPs :) Any ISP that does *not* block port 25 for residential service is a part of the spam/zombie problem, and if yours doesn't, you should complain, loudly if necessary, and encourage them to block it.
Re: Is such an SSL attack possible against Postfix?
- Original Message From: Ralf Hildebrandt ralf.hildebra...@charite.de To: postfix-users@postfix.org Sent: Wed, July 21, 2010 5:00:16 AM Subject: Is such an SSL attack possible against Postfix? http://blog.fefe.de/?ts=b2b8f9f8 sorry, it's in german. I'll translate some bits: Sombody went to Torrent trackers and announced blog.fefe.de:443 as Torrent client (for a really popular download I guess). Thus, blog.fefe.de:443 got flooded with torrent-client traffic on the SSL port. Port 25 outgoing will be blocked by most ISPs, but let's assume that's not done by all IPS. It would work with the submission port! All, In my opinion the port really doesn't matter. If the IP is up and fully operational and you send enough traffic to it then yes a DDoS is going to happen. If the port isn't open it will just say connection refused, but get enough traffic to saturate that bandwidth to the server, and the link will go down. So in this instance you would only be able to protect yourself via TCP and UDP Flood Protection on your IDS and HIPS systems or other firewall tools. Thanks, Daniel Reinhardt Website: www.cryptodan.com Email: crypto...@yahoo.com
RE: Is such an SSL attack possible against Postfix?
Jonathan Tripathy wrote: Port 25 outgoing will be blocked by most ISPs This may be the case in your country, but from where I'm from, I've never had a problem sending out on port 25, even on home residental ISPs :) Any ISP that does *not* block port 25 for residential service is a part of the spam/zombie problem, and if yours doesn't, you should complain, loudly if necessary, and encourage them to block it. - Every ISP in the UK? I beg to disagree. Blocking port 25 is a violation of Net Neutrality. Now, by default, the ISP do put their DSL (dynamic and static) IP addresses automatically on the RBL blacklist listed as a server which should not normally send email. To realistically send email from a dynamic IP, you need to remove yourself from that list, but you have to promise not to spam. Then, if you spam, you get put back on permanently
Re: Is such an SSL attack possible against Postfix?
On 2010-07-21 Daniel V. Reinhardt wrote: From: Ralf Hildebrandt ralf.hildebra...@charite.de To: postfix-users@postfix.org Sent: Wed, July 21, 2010 5:00:16 AM Subject: Is such an SSL attack possible against Postfix? http://blog.fefe.de/?ts=b2b8f9f8 sorry, it's in german. I'll translate some bits: Sombody went to Torrent trackers and announced blog.fefe.de:443 as Torrent client (for a really popular download I guess). Thus, blog.fefe.de:443 got flooded with torrent-client traffic on the SSL port. Port 25 outgoing will be blocked by most ISPs, but let's assume that's not done by all IPS. It would work with the submission port! In my opinion the port really doesn't matter. If the IP is up and fully operational and you send enough traffic to it then yes a DDoS is going to happen. If the port isn't open it will just say connection refused, but get enough traffic to saturate that bandwidth to the server, and the link will go down. So in this instance you would only be able to protect yourself via TCP and UDP Flood Protection on your IDS and HIPS systems or other firewall tools. The issue with this attack is that it might exhaust CPU resources on the server without having to saturate the bandwidth, due to cryptographic operations required by SSL. And that it seems to use BitTorrent as a multiplicator, so it doesn't require a botnet. Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
Re: Is such an SSL attack possible against Postfix?
Ralf Hildebrandt: * Ansgar Wiechers li...@planetcobalt.net: The issue with this attack is that it might exhaust CPU resources on the server without having to saturate the bandwidth, due to cryptographic operations required by SSL. Correct. And that it seems to use BitTorrent as a multiplicator, so it doesn't require a botnet. It brings it's own botnet :) And thus, Postfix's botnet defenses kick in. With port 25 and 587, the session won't even get to the TLS handhake. Postfix will go into stress mode and hang up after the first SMTP error. Just pray that there is a newline character somewhere in the client TLS HELLO packet. Wietse
Re: Is such an SSL attack possible against Postfix?
Jonathan Tripathy wrote: Any ISP that does *not* block port 25 for residential service is a part of the spam/zombie problem, and if yours doesn't, you should complain, loudly if necessary, and encourage them to block it. Every ISP in the UK? Every one that is not, at a bare minimum, closely monitoring it for botnet traffic *and* *immediately* shutting down infected IPs, then yes, absolutely... But, since most residential users have no need to send/receive email directly over port 25, it is *much* easier (and more effective) to just block it for designated subnets, so they only have to worry about monitoring those that they *know* will be using it (because they specifically asked for it). I beg to disagree. Blocking port 25 is a violation of Net Neutrality. Ridiculous, net neutrality has nothing to do with service level agreements. Residential service does not in any way, shape or form equate to requiring full SMTP services to be able to run your own full blown mail server, nor does denying access to port 25 for 'normal' residential users impact their ability to access the internet or send/receive email. If you want that level of service, upgrade to a service that provides it, and that will be at least minimally monitored for abuse (it is in the ISPs best interest to avoid getting their IP addresses on blacklists).
RE: Is such an SSL attack possible against Postfix?
I beg to disagree. Blocking port 25 is a violation of Net Neutrality. Ridiculous, net neutrality has nothing to do with service level agreements. Residential service does not in any way, shape or form equate to requiring full SMTP services to be able to run your own full blown mail server, nor does denying access to port 25 for 'normal' residential users impact their ability to access the internet or send/receive email. If you want that level of service, upgrade to a service that provides it, and that will be at least minimally monitored for abuse (it is in the ISPs best interest to avoid getting their IP addresses on blacklists). - I pay for a connection to the internet. Provided I don't do anything illegal, I should be allowed to pass whatever traffic I want on it - even SMTP traffic. Blocking outgoing port 25 is not a solution. An example: what if I own an SMTP server somewhere else, and want to test it from my home one evening? Why should I be forced to use an ISP's mail server to send an email? But this is getting a bit OT for this list I think. Bottom line, ISPs should not block any traffic or any ports. That doesn't mean they should guarantee any level of uptime or speed (however whatever measure they apply should be uniform across all protocols), but the actual contents that is passed should not be touched. Also, ISP should *never* monitor traffic. This is a violation of privacy rights, net neutrality, as well implicates the ISP in a lot of legal areas that they would want to avoid (example: EU laws says that if an ISP it not aware of any illegal activity/content, then they are not doing anything wrong. If they monitor traffic, they become liable for everything illegal that is passed.) At the very least, if an ISP blocks port 25, then a simple phone call should allow this to be unblocked.
OT: ISP Blocking of port 25 - WAS: Re: Is such an SSL attack possible against Postfix?
On 2010-07-21 11:16 AM, Gordan Bobic gor...@bobich.net wrote: If you want that level of service, upgrade to a service that provides it, and that will be at least minimally monitored for abuse (it is in the ISPs best interest to avoid getting their IP addresses on blacklists). Absolute nonsense. There are a lot of people who prefer to run their own mail servers, and they do so legitimately on residential-grade lines because they are cheaper than business ones. Ok, so by that argument, if I sign up for entry level cable service, I should then be able to 'demand' their fastest level of service at the same price, or get Pay-Per-View movies for free, just because? Ludicrous... SLAs were created for a reason - and no, just because you have a bicycle does not give you the 'right' to demand unfettered access to the autobahn. Either way, what you're wishing for isn't going to happen any time soon, and it's getting off topic. Well, we agree on one thing at least... ;) On 2010-07-21 11:21 AM, Jonathan Tripathy jon...@abpni.co.uk wrote: I pay for a connection to the internet. Provided I don't do anything illegal, I should be allowed to pass whatever traffic I want on it - even SMTP traffic. That would depend on the terms of the contract you signed, now wouldn't it. Blocking outgoing port 25 is not a solution. It completely eliminates the possibility of the connected PC from being an active bot, even if it is compromised. So, you are wrong, it is an incredibly simple and powerful solution to that particular problem. An example: what if I own an SMTP server somewhere else, and want to test it from my home one evening? Silly question... what if I have an entry level cable TV account, and want to watch something on Pay-Per-View? By your argument, I should be able to watch it without paying? Sorry, port 25 access should be controlled, this is the only sane solution to the problem of botnets, and as long as ISPs *don't* control it, botnets will continue to be a plague on the internet. Why should I be forced to use an ISP's mail server to send an email? You aren't. You have the option of paying for port 25 access, or finding an ISP that allows residential customers to individually request and get said access at no extra charge. But this is getting a bit OT for this list I think. Again, agreed, and this will be my last list post... Bottom line, ISPs should not block any traffic or any ports. I could say something like 'spoken like a true spammer', but that would be rude - and likely not apply to you anyway, even though it does sound like something a spammer would say. That doesn't mean they should guarantee any level of uptime or speed Why not? If you believe you have the right to force them to not block any ports, why should the speed or uptime be any different? The bottom line is, internet access is determined by contract, so it all depends on the terms of the contract. but the actual contents that is passed should not be touched. For 'allowed' traffic, and with the exception of passive monitoring for abusive behavior, I agree completely. Also, ISP should *never* monitor traffic. Depending on what you mean by 'monitor', I emphatically disagree. This is a violation of privacy rights, Not according to my definition of 'monitor' - I'm only talking about monitoring behavior and looking for abusive patterns, not examining content. net neutrality, Irrelevant... If they monitor traffic, they become liable for everything illegal that is passed. I think they *should* be liable for all of the botnets spewing filth from their networks - and since I agree they shouldn't be examining *content*, as long as they aren't they wouldn't be liable for it. At the very least, if an ISP blocks port 25, then a simple phone call should allow this to be unblocked. If they want to place you in the 'commercial' (for lack of a better word) subnet for free, I have no problem with that. But the *default* for residential service should be to block port 25. Anyway, enough said on the subject, I don't imagine the above will change anyone's mind...
Re: Is such an SSL attack possible against Postfix?
Charles Marcus put forth on 7/21/2010 7:46 AM: Jonathan Tripathy wrote: Port 25 outgoing will be blocked by most ISPs This may be the case in your country, but from where I'm from, I've never had a problem sending out on port 25, even on home residental ISPs :) Any ISP that does *not* block port 25 for residential service is a part of the spam/zombie problem, and if yours doesn't, you should complain, loudly if necessary, and encourage them to block it. Complain that TCP 25 blocking should be the _default_ policy at either the $access_concentrator or CPE, but not the _only_ policy. A customer request to open TCP 25 should be honored, and there should be an online form and automatic process to open it instantly upon such a customer request. Consumer choice is something many in the developed world consider to be a right more than a side effect of capitalism. Consumers should have the right to run their own MX/outbound on their broadband connection if they so choose, and they shouldn't be required to use their ISP's submission servers if they prefer to send SMTP directly. -- Stan
