[Top] [All Lists]

Re: Abort data transfer?

2009-10-23 07:11:14

John R Levine wrote:
[...] The infamous Ron Guilmette had an amazing tarpit MTA about a decade ago that used that technique to keep 4000 simultaneous connections open, running on a 486. But since the rise of botnets, tarpitting lost whatever effectiveness it might have had, so I don't know of anyone still doing it.

Courier-MTA does it, for one. I cannot think of another method for handling dictionary attacks, targeting either user/passwd or rcpt. It's obviously not enough against a botnet, but I think it's a good practice. In such scenario, it is normal to have some SMTP daemons loitering about with their tarpits; IME they usually arrive to a regular disconnection. However, in case the maximum number of daemons is reached, one should force some of those connections to abort. I think that can happen by chance, not necessarily implying a deliberate DoS attack.

Forcefully aborting connections, as well as disallowing further access from those IPs, is better dealt with at the system's firewall level: If knowledge about bad behavior is encapsulated within the SMTP software, different daemons have to duplicate both the functionality and the data, resulting in an overall weaker system. BTW, I reckon 4000 IPs can be handled with a ~400K .db file keyed on the IP number, and would need ~400G to map the whole IPv4 address space that way.

<Prev in Thread] Current Thread [Next in Thread>