[GLLUG] Sendmail DoS Question

John Edwards john at cornerstonelinux.co.uk
Wed Oct 24 23:22:14 UTC 2018 

Hi

On Wed, Oct 24, 2018 at 11:52:31PM +0100, Ken Smith via GLLUG wrote:
> Hi All
> 
> I've been noticing what looks like an attempt at a DoS on my mail server.
> Various hosts open sets of SSL sessions to port 465 and then sit there not
> exchanging any traffic. The server is set to allow 20 sendmail processes and
> the miscreant gets that number of session going effectively DoSing the
> service. Easily remedied by killing it all and restarting the daemon. I've
> adjusted sendmail's timeouts to drop these malicious sessions.
> 
> The session processes get stuck looking like this in ps.
> 
> sendmail: server [178.128.158.113] startup
> 
> I've also set a connection limit to port 465 in iptables to reject these
> multiple sessions that appear to originate in batches from the same IP and
> then from another IP and so on.
> 
> Anyone else seeing this and out of interest what mode is sendmail in when
> its shows "startup". I've tried manually connecting and sending e-mail
> either in plain text or via ssl and don't see that status.

I don't run sendmail, but that sounds like a variant on the old trick
of opening lots of network connections and then communicating very
slowly over each one. Example:
       https://en.wikipedia.org/wiki/Slowloris_(computer_security)

Most web servers will have some sort of connection control to stop
this, such as Apache's mod_reqtimeout, but I've not seen anything
similar for most SMTP or IMAP servers beyond the basic limits of the
number of connection per IP (happy to be proved wrong in that).
 
So I think you are probably right in falling back on iptables to limit
connections. Of course DoS is still possible if the attack has a wide
enough range of IP addresses. I've seen plenty of examples on limiting
the maximum transfer rate for a network connection, but not for a
minimum.

Tangentially, could hooking failures into something like fail2ban
help in the long term?


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#

More information about the GLLUG mailing list