[Top] [All Lists]

Re: Abort data transfer?

2009-10-21 15:11:28

> I guess the thing is that it COULD be used as a DoS attack -

There's lots of things COULD be used as an attack.  The fact that it's
never happened in 30 years suggest this is not one worth worrying about.

FWIW, we had a customer who ran into exactly this attack about five years back:
Endless data coming in on an SMTP connection.

We have facilities both to ignore data past a (settable) limit and to drop
connections past a (settable) limit, but they weren't engaged. As I recall,
engaging them solved the immediate problem, but the attacker switched  almost
immediately to a stream of SYNs, which the mail server could handle but which
nevertheless ate up all available bandwidth. At that point this ceased to be a
mail server issue and became a router issue so we were out of the picture and I
don't recall hearing the resolution.

In any case, I think this particular branch on the attack tree is pretty thin
compared to some of its neighbors, but it does exsit.


P.S. Another attack we're seen in the field a couple of times is the "send one
byte every few seconds and keep lots of connections open" one. In fact if our
experience is representative (I have no idea if it is or not) this is actually
more of a concern.

<Prev in Thread] Current Thread [Next in Thread>