Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

Re: [rhelv5-list] Re: Dovecot under attack?

John Summerfield

2008-01-31

Replies: Find Java Web Hosting

Author LoginPost Reply
Axel Thimm wrote:
> On Fri, Feb 01, 2008 at 08:30:19AM +0900, John Summerfield wrote:
>> Axel Thimm wrote:
>>> On Wed, Jan 30, 2008 at 05:06:20PM +0100, Nick Jennings wrote:
>>>> Hi Tim,
>>>>
>>>> Thanks for your response. I should have mentioned that this server is
>>>> meant to be a hosting server for both web and mail, and there is no way
>>>> to effectively restrict based on trusted clients.
>>>>
>>>> Is there anything else perhaps more general for if not preventing, then
>>>> deterring and slowing down this kind of attack?
>>> Google for tarpitting, that's the method used to slow down malevolent
>>> nodes.
>> I suspect it doesn't work. It's easily worked around. A slow connexion
>> doesn't prevent more from being started,
>
> "Adds a TARPIT target to iptables, which captures and holds incoming
> TCP connections using no local per-connection resources. Connections
> are accepted, but immediately switched to the persist state (0 byte
> window), in which the remote side stops sending data and asks to
> continue every 60-240 seconds. Attempts to close the connection are
> ignored, forcing the remote side to time out the connection in 12-24
> minutes."
>
> So new connections are not helping the attacker, in fact the attacker
> is the one now losing resources per connection, your system isn't
> sloting anything anymore.

It doesn't prevent the remote attacker opening a new connexion every,
say, one minute, and it doesn't prevent his timing out himself in less
than tha. Say 1 minute.

Resources are cheap, _they_ use other peoples' computers and internet
accounts.

>
>> and has no effect at all on other members of a botnet.
>
> A DDoS is harder to fence off (and in general harder to detect before
> the system collapses), but you scale it down to only a few connections
> per attacker and not hundreds of connections per attacker.

I'm not saying DDoS; a botnet can run through its list of candidate
names and passwords, one or two every so often per host, and in between
times they try others.

We're talking about criminals here, not your average teenage pest.



--

Cheers
John

-- spambait
1aaaaaaa@(protected)
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.