Re: Subtle qmail bug? (was Re: Handling an MX record of 0.0.0.0 o r 127.0.0.1)
Scott Gifford [EMAIL PROTECTED] writes: It means that a user sending a steady stream of 10 (small) messages/sec over a dialup connection makes your system deal with 600 messages/sec, which would normally take a T1. But this doesn't involve any real network connections - it's all on loopback. So it wouldn't saturate an actual T1, if that's what you were saying. Right? paul
Re: Subtle qmail bug? (was Re: Handling an MX record of 0.0.0.0 o r 127.0.0.1)
On Mon, Jan 29, 2001 at 05:56:38PM -0500, Paul Jarc wrote: Scott Gifford [EMAIL PROTECTED] writes: It means that a user sending a steady stream of 10 (small) messages/sec over a dialup connection makes your system deal with 600 messages/sec, which would normally take a T1. But this doesn't involve any real network connections - it's all on loopback. So it wouldn't saturate an actual T1, if that's what you were saying. Right? I believe that the Scott's point is best illustrated this way (and forgive me if I'm wrong here, Scott): A user on a dialup sending 10 messages per second can start a DoS attack normally only possible for a user with a T1, consisting of 600 messages per second. Thus, a lowly dialup user can now mount a much nastier DoS attack than he could against MTAs which do not exhibit this problem. -- Greg White Those who make peaceful revolution impossible will make violent revolution inevitable. -- John F. Kennedy
Re: Subtle qmail bug? (was Re: Handling an MX record of 0.0.0.0 o r 127.0.0.1)
On Mon, Jan 29, 2001 at 03:17:14PM -0800, Greg White wrote: [snip] A user on a dialup sending 10 messages per second can start a DoS attack normally only possible for a user with a T1, consisting of 600 messages per second. And with only the system-load (taken as a broad concept :) associated with that attack. There is no network-bandwidth-abuse involved. (localhost is not considered a network, here). Greetz, Peter.
Re: Subtle qmail bug? (was Re: Handling an MX record of 0.0.0.0 o r 127.0.0.1)
Greg Owen [EMAIL PROTECTED] writes: Well I guess that this one is definitely elligible for the "qmail security challenge". http://web.infoave.net/~dsill/qmail-challenge.html I don't think so. The challenge says: Obviously, the purpose of reporting this bug wasn't to win the expired qmail challenge. It's not a security bug, but a correctness bug, and a DoS bug (it seriously horked our mail servers). [ ... ] This attack merely causes messages to loop a bit before bouncing. This barely even qualifies as a DOS attack. A message sent into the system, sent to a user at a 0.0.0.0 MX host, from a user at a 0.0.0.0 MX host, passes through qmail-smtpd, qmail-queue, qmail-send, and qmail-remote 60 times before it's gone from your system (30 before it bounces, and another 30 trying to deliver the bounce). That means that if you have 2% of your messages addressed this way, deliberately or accidentally, you need 120% more power (over twice as much) to process the bounces. It means that a user sending a steady stream of 10 (small) messages/sec over a dialup connection makes your system deal with 600 messages/sec, which would normally take a T1. A user on a T1 or fast DSL sending 600 messages/sec makes your system deal with 36,000 messages/sec, which would normally take 2 T3s. It makes it possible for a home user with relatively few resources to take down a medium-sized qmail installation with no real effort. And they can even do it accidentally, if they're spamming or dealing with a mailing list. Our mail system at OneMain.COM processes over 23 million messages a day with no problem, and this bug brought it to its knees. It's a serious bug. But it's relatively easy to fix (in ipme.c), or to work around (don't allow connections from 127.0.0.1 to qmail-smtpd). ---ScottG.
