[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-04 05:34:53
On Thu, Dec 03, 2015 at 08:53:32PM -0800, Russ Allbery wrote:
There are two reasons (well, at least -- maybe more) why this doesn't help
as much as it sounds like it would, particularly in the case of SMTP AUTH.

Here's one of those "more".

Some sites construct usernames by taking a user's real name and turning
it into "first-initial lastname" or "lastname first-initial", e.g., John
Smith becomes jsmith or smithj.  Sometimes this is truncated to N characters,
with 8 being fairly common.

A quick online search will reveal the 1000 most common surnames in the US.
Prepending/appending the 26 letters of the alphabet and truncating yields
52K candidate login names.

Some of these same sites try to implement account login throttling
policies that are based on F failed tries in M minutes, e.g., if
F > 10 and M < 3, then the account is locked out for ten or fifteen minutes.
They might do this with with SMTP AUTH or IMAP or SSH or any other service
which requires a username/password pair.

An attacker in control of a botnet can thus conduct an effective DDoS attack
against at least some of the users of such sites by hitting those 52K
accounts (whether they exist or not) repeatedly with random passwords
and tripping the throttling mechanism.  Depending on how the throttling
mechanism works, they may be able to fine-tune the attack to match it;
or they can simply fire blindly, setting the attempt rate high enough
that it exceeds any plausible F under any plausible M.  And of course
by randomizing the source IP of the attempts they can make attempts by
defenders to block this tedious or impractical.

Salt to taste for other countries with different surname popularity or
for other operations with different algorithmic means of constructing login
names from real names, etc.  Augment with more login names constructed
by scraping the target's web site.  And so on.

This is not a hypothetical, incidentally.


ietf-smtp mailing list