Re: Abort data transfer?
2009-10-23 07:11:14
John R Levine wrote:
[...] The infamous Ron Guilmette had an amazing tarpit
MTA about a decade ago that used that technique to keep 4000
simultaneous connections open, running on a 486. But since the rise of
botnets, tarpitting lost whatever effectiveness it might have had, so I
don't know of anyone still doing it.
Courier-MTA does it, for one. I cannot think of another method for
handling dictionary attacks, targeting either user/passwd or rcpt.
It's obviously not enough against a botnet, but I think it's a good
practice. In such scenario, it is normal to have some SMTP daemons
loitering about with their tarpits; IME they usually arrive to a
regular disconnection. However, in case the maximum number of daemons
is reached, one should force some of those connections to abort. I
think that can happen by chance, not necessarily implying a deliberate
DoS attack.
Forcefully aborting connections, as well as disallowing further access
from those IPs, is better dealt with at the system's firewall level:
If knowledge about bad behavior is encapsulated within the SMTP
software, different daemons have to duplicate both the functionality
and the data, resulting in an overall weaker system. BTW, I reckon
4000 IPs can be handled with a ~400K .db file keyed on the IP number,
and would need ~400G to map the whole IPv4 address space that way.
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Abort data transfer?, (continued)
- Re: Abort data transfer?, Paul Smith
- Re: Abort data transfer?, David MacQuigg
- Re: Abort data transfer?, John Levine
- Re: Abort data transfer?, Arnt Gulbrandsen
- Re: Abort data transfer?, John R Levine
- Re: Abort data transfer?, Paul Smith
- Re: Abort data transfer?, John R Levine
- Re: Abort data transfer?, Hector Santos
- Re: Abort data transfer?, ned+ietf-smtp
- Re: Abort data transfer?, John R Levine
- Re: Abort data transfer?,
Alessandro Vesely <=
- Re: Abort data transfer?, David MacQuigg
- RE: Abort data transfer?, Murray S. Kucherawy
- Re: Abort data transfer?, David MacQuigg
- Re: Abort data transfer?, Hector Santos
- RE: Abort data transfer?, Murray S. Kucherawy
- Re: Abort data transfer?, Dave CROCKER
- RE: Abort data transfer?, ned+ietf-smtp
- Re: Abort data transfer?, Paul Smith
- Re: Abort data transfer?, ned+ietf-smtp
- Re: Abort data transfer?, David MacQuigg
|
|
|