查看完整版本: sonicwall SMTP DOS attacks with malformed email addresses

chun 2010-5-21 15:59

sonicwall SMTP DOS attacks with malformed email addresses

<h1><a href="http://serverfault.com/questions/67014/smtp-dos-attacks-with-malformed-email-addresses" class="question-hyperlink">SMTP DOS attacks with malformed email
addresses</a></h1><table><tbody><tr><td class="votecell"><div class="vote">
    <span class="vote-count-post">1</span>
    <span class="vote-down-off" title="This question is unclear or not
useful (click again to undo)"></span>

    <span class="star-off" title="This is a favorite question (click
again to undo)"></span>
        

</div>

    </td>
    <td class="postcell">
        <div>         
            <div class="post-text">
                <p>We have the following setup:<br>
Redhat kernel 2.4.16<br>
Sendmail 8.11.6<br>
<br>
This is a very old, ~7 years, cobalt RaQ server and is not easily
upgradeable.  Currently, we are being hit by multiple IP addresses from
Latin America, Russia, Pakistan and others that open SMTP connections to
our mail server and attempt to send emails from malformed addresses.  
Always missing the top level domain and similar in format to:  </p>

<ul><li>losingm7@mysterious   </li><li>kingleirr5@pc</li><li>etc</li></ul>

<p><br>  Our sendmail responds with:</p>

<pre class="prettyprint"><code><span class="pln">&nbsp;sendmail</span><span class="pun">[</span><span class="lit">6973</span><span class="pun">]:</span><span class="pln"> n8JABr406973</span><span class="pun">:</span><span class="pln"> ruleset</span><span class="pun">=</span><span class="pln">check_mail</span><span class="pun">,</span><span class="pln"> arg1</span><span class="pun">=&lt;</span><span class="pln">evangelinaii2@mysterious</span><span class="pun">&gt;,</span><span class="pln"> relay</span><span class="pun">=</span><span class="pln">wtl</span><span class="pun">.</span><span class="pln">worldcall</span><span class="pun">.</span><span class="pln">net</span><span class="pun">.</span><span class="pln">pk </span><span class="pun">[</span><span class="lit">115.186</span><span class="pun">.</span><span class="lit">114.184</span><span class="pun">]</span><span class="pln"> </span><span class="pun">(</span><span class="pln">may be forged</span><span class="pun">),</span><span class="pln"> reject</span><span class="pun">=</span><span class="lit">553</span><span class="pln"> </span><span class="lit">5.1</span><span class="pun">.</span><span class="lit">8</span><span class="pln"> </span><span class="pun">&lt;</span><span class="pln">evangelinaii2@mysterious</span><span class="pun">&gt;...</span><span class="pln"> </span><span class="typ">Domain</span><span class="pln"> of sender address evangelinaii2@mysterious does </span><span class="kwd">not</span><span class="pln"> exist<br></span></code></pre>

<p>At this point, the attacker sends a RSET command and trys another
similar but different email address.  We are getting ~2 attempts every
second from each IP address.  The reason I think this may be a DOS
attack is that as soon as I kill a connection, within seconds a new IP
address starts up another attack from a completely new geography.  For
example, I kill a connection from Chile and another connection from
Columbia starts 1 second later.  <br>Obviously, this is causing
unnecessary load on our mail server and I would like to stop these
connections at the gateway if possible.  Does anyone have ideas on how
to fix this?  I realize our mail server is badly in need of replacement,
and that is in the works, but not complete yet.  What I am looking for
is a band-aid on this issue.  <br>
Thanks.</p>

            </div>            
            <div class="post-taglist">
                <a href="http://serverfault.com/questions/tagged/emailserver" class="post-tag" title="show questions tagged 'emailserver'" rel="tag">emailserver</a>
<a href="http://serverfault.com/questions/tagged/sendmail" class="post-tag" title="show questions tagged 'sendmail'" rel="tag">sendmail</a>
<a href="http://serverfault.com/questions/tagged/dos" class="post-tag" title="show questions tagged 'dos'" rel="tag">dos</a> <a href="http://serverfault.com/questions/tagged/ddos" class="post-tag" title="show questions tagged 'ddos'" rel="tag">ddos</a>
            </div>
            <table class="fw">
            <tbody><tr>
            <td class="vt">
                <div class="post-menu"><a id="flag-post-67014" title="flag this post for serious problems">flag</a></div>
               
            </td>
        
            <td class="post-signature owner">
            <div class="user-info"><div class="user-action-time">asked <span title="2009-09-19 18:55:28Z" class="relativetime">Sep 19 '09 at 18:55</span></div><div class="user-gravatar32"><a href="http://serverfault.com/users/19488/scott-lundberg"><img src="http://www.gravatar.com/avatar/7cd4abeedd6df6714aab89a196f56411?s=32&amp;d=identicon&amp;r=PG" alt="" height="32" width="32"></a></div><div class="user-details"><a href="http://serverfault.com/users/19488/scott-lundberg">Scott Lundberg</a><br><span class="reputation-score" title="reputation score">1,517</span><span title="1 gold badge"><span class="badge1"></span><span class="badgecount">1</span></span><span title="1 silver badge"><span class="badge2"></span><span class="badgecount">1</span></span><span title="10 bronze badges"><span class="badge3"></span><span class="badgecount">10</span></span></div></div>
            <br class="cbt">
            <div class="accept-rate accept-answer-link" title="this user
has accepted an answer for 4 of 4 eligible questions">100% accept rate</div>
            
            </td>
            </tr>
            </tbody></table>
        </div>
    </td>
    </tr>

   

<tr>
<td class="votecell"><br></td>
<td>
    <div id="comments-67014" class="comments dno">
        <table>
        <tbody>
        
            <tr><td><br></td><td><br></td></tr>
        
        </tbody>
   
        </table>
    </div>
   
<br></td>
</tr>
   
    </tbody></table>
   







    <a name="tab-top"></a>
    <div id="answers-header">
        <div class="subheader answers-subheader">
            <h2>5 Answers</h2>
            <div id="tabs">
                <a href="http://serverfault.com/questions/67014?tab=oldest#tab-top" title="Answers in the order they were given">oldest</a>
<a href="http://serverfault.com/questions/67014?tab=newest#tab-top" title="Most recent answers first">newest</a>
<a class="youarehere" href="http://serverfault.com/questions/67014?tab=votes#tab-top" title="Answers with the most votes first">votes</a>

            </div>
        </div>
    </div>



    <a name="67017"></a>
   
    <div id="answer-67017" class="answer ">
        
        <table>
        <tbody><tr>
        <td class="votecell">
            
<div class="vote">
    <input value="67017" type="hidden">
    <span class="vote-up-off" title="This answer is useful (click again
to undo)"></span>
    <span class="vote-count-post">1</span>
    <span class="vote-down-off" title="This answer is not useful (click
again to undo)"></span>

</div>

        </td>
        <td>
            <div class="post-text"><p>Are the messages sent to valid
addresses in your domain?  If not, this sounds like a pretty typical
experience for a mail domain that's been around for at least 7 years --
we see tens of thousands of directory harvesting messages to accounts
that don't exist on our domain every day.  Your smtp gateway should be
gracefully dropping these connections rather than sending NDRs or
processing the message, which limits the impact a good deal.  I'm not
familiar enough with sendmail to know if it's behaving this way from the
log line you've included, but if the sending server is the one issuing
the RSET rather than your mail server, I suspect not.  </p>

<p>Is this something that you've noticed begun only recently or that has
changed?  Even for our relatively small organization, if I watch the
inbound connections I'll definitely see dozens of connections or more
every minute, and if I kill one off another will undoubtedly pop up, and
yes, they're from all over the world.  98-99.9% is Spam.  Sadly, that's
the nature of having an email server these days.  </p>
</div>
            <table class="fw">
            <tbody><tr>
            <td class="vt">
                <div class="post-menu"><a href="http://serverfault.com/questions/67014/smtp-dos-attacks-with-malformed-email-addresses/67017#67017" title="permalink to this answer">link</a><span class="lsep">|</span><a id="flag-post-67017" title="flag this post for serious problems">flag</a></div>
               
            </td>
            
            <td class="post-signature" align="right">
            <div class="user-info"><div class="user-action-time">answered
<span title="2009-09-19 19:24:39Z" class="relativetime">Sep 19 '09 at
19:24</span></div><div class="user-gravatar32"><a href="http://serverfault.com/users/2302/nedm"><img src="http://www.gravatar.com/avatar/e5adb0683b86819124da6cfbbfe63b1c?s=32&amp;d=identicon&amp;r=PG" alt="" height="32" width="32"></a></div><div class="user-details"><a href="http://serverfault.com/users/2302/nedm">nedm</a><br><span class="reputation-score" title="reputation score">1,418</span><span title="6 silver badges"><span class="badge2"></span><span class="badgecount">6</span></span><span title="15 bronze badges"><span class="badge3"></span><span class="badgecount">15</span></span></div></div>
            </td>
            </tr>
            </tbody></table>
        </td>
        </tr>
        

<tr>
<td class="votecell"><br></td>
<td>
    <div id="comments-67017" class="comments">
        <table>
        <tbody>
                    
    <tr id="comment-54031" class="comment">
        <td><br></td>
        <td class="comment-text"><div>@Nedm:  From a sniff I have run,
our mail server sends the 553 message immediately after the attacker
sends MAIL FROM:&lt;malformed address&gt;.  The attacker never gets to
send the RCPT TO:, so I don't know if it is trying to send to a current
user.  The attacker then sends a RSET command to our mailserver, which
then resets the SMTP state and the whole things starts over, but the TCP
connection is never dropped...which you have correctly identified as a
problem (I just don't know how to solve it).  This is recently (past 2
days) –&nbsp;<a href="http://serverfault.com/users/19488/scott-lundberg" title="1517 reputation" class="comment-user owner">Scott Lundberg</a> <span class="comment-date"><span title="2009-09-19 19:57:10Z">Sep 19 '09 at
19:57</span></span></div></td>
    </tr>

        </tbody>
   
        </table>
    </div>
   
</td>
</tr>
        </tbody></table>
    </div>

    <div class="everyonelovesstackoverflow">
        <script type="text/javascript">
            document.write('<s'+'cript lang' + 'uage="jav' + 'ascript" src="http://ads.stackoverflow.com/a.aspx?ZoneID=15&amp;Task=Get&amp;IFR=False&amp;PageID=52405&amp;SiteID=2&amp;Random=' + (+new Date()) + '&amp;Keywords=emailserver,sendmail,dos,ddos">');
            document.write('</'+'scr'+'ipt>');
        </script><script language="javascript" src="http://ads.stackoverflow.com/a.aspx?ZoneID=15&amp;Task=Get&amp;IFR=False&amp;PageID=52405&amp;SiteID=2&amp;Random=1274429017640&amp;Keywords=emailserver,sendmail,dos,ddos"></script>

        <noscript>
            <div>
            <a href="http://ads.stackoverflow.com/a.aspx?ZoneID=15&amp;Task=Click&amp;Mode=HTML&amp;SiteID=2&amp;PageID=52405">
            <img src="http://ads.stackoverflow.com/a.aspx?ZoneID=15&amp;Task=Get&amp;Mode=HTML&amp;SiteID=2&amp;PageID=52405" alt="">
            </a>
            </div>
        </noscript>
    </div>
     
           

    <a name="67029"></a>
   
    <div id="answer-67029" class="answer ">
        
        <table>
        <tbody><tr>
        <td class="votecell">
            
<div class="vote">
    <input value="67029" type="hidden">
    <span class="vote-up-off" title="This answer is useful (click again
to undo)"></span>
    <span class="vote-count-post">1</span>
    <span class="vote-down-off" title="This answer is not useful (click
again to undo)"></span>

</div>

        </td>
        <td>
            <div class="post-text"><p>You might check out fail2ban. It'd
take some configuration, but you could set up a box to act as a
bridging firewall between your mail server and the outside connection,
then use fail2ban on the bridge to scan your smtp logs on the mail
server. When it detects an anomaly in the mail server logs it blocks the
ip address for a period of time.</p>

<p>This <a href="http://www.the-art-of-web.com/system/fail2ban-sendmail/" rel="nofollow">link</a> could give you a start.</p>

<p>This is just an off the cuff answer that might or might not be a good
way of doing this. But the benefit is requires minimal reconfiguration
of your mail server.</p>
</div>
            <table class="fw">
            <tbody><tr>
            <td class="vt">
                <div class="post-menu"><a href="http://serverfault.com/questions/67014/smtp-dos-attacks-with-malformed-email-addresses/67029#67029" title="permalink to this answer">link</a><span class="lsep">|</span><a id="flag-post-67029" title="flag this post for serious problems">flag</a></div>
               
            </td>
            
            <td class="post-signature" align="right">
            <div class="user-info"><div class="user-action-time">answered
<span title="2009-09-19 21:20:42Z" class="relativetime">Sep 19 '09 at
21:20</span></div><div class="user-gravatar32"><a href="http://serverfault.com/users/17642/emgee"><img src="http://www.gravatar.com/avatar/ef497042d487f985d32070e82cdfb710?s=32&amp;d=identicon&amp;r=PG" alt="" height="32" width="32"></a></div><div class="user-details"><a href="http://serverfault.com/users/17642/emgee">emgee</a><br><span class="reputation-score" title="reputation score">579</span><span title="1 silver badge"><span class="badge2"></span><span class="badgecount">1</span></span><span title="8 bronze badges"><span class="badge3"></span><span class="badgecount">8</span></span></div></div>
            </td>
            </tr>
            </tbody></table>
        </td>
        </tr>
        

<tr>
<td class="votecell"><br></td>
<td>
    <div id="comments-67029" class="comments dno">
        <table>
        <tbody>
        
            <tr><td><br></td><td><br></td></tr>
        
        </tbody>
   
        </table>
    </div>
   
<br></td>
</tr>
        </tbody></table>
    </div>


    <a name="67036"></a>
   
   
        
        <input id="67036-is-owned-by-question-owner" value="true" type="hidden">
        
        
        <table><tbody><tr>
        <td class="votecell">
            
<div class="vote">
    <input value="67036" type="hidden">
    <span class="vote-up-off" title="This answer is useful (click again
to undo)"></span>
    <span class="vote-count-post">1</span>
    <span class="vote-down-off" title="This answer is not useful (click
again to undo)"></span>
<span class="vote-accepted-on" title="The question owner accepted this
as the best answer Sep 21 '09 at 20:51"></span>
</div>

        </td>
        <td>
            <div class="post-text"><p>I have a solution!  This is
specific to a Sonicwall firewall using the <a href="http://www.sonicwall.com/us/products/10941.html" rel="nofollow">Application
Firewall</a>, but here are the steps to prevent this attack:<br></p>

<ol><li>Create a new Application Object with the following settings:
<img src="http://img32.imageshack.us/img32/5048/object.jpg" alt="alt
text"></li><li>Create a new Application Policy with the following settings:
<img src="http://img17.imageshack.us/img17/5222/policyn.jpg" alt="alt
text"><br>
Note the link to the Application Object created in step 1 (553 response
in SMTP) and the Action Reset/Drop (which is a built in Action)</li></ol>

<p>After implementing this policy, I was able to verify with sniffs that
a TCP RST was sent to the mail server and the SMTP connection was
immediately dropped and closed, so there are no open ports on the mail
server and the attacker goes away.  <br></p>
</div>
            <table class="fw">
            <tbody><tr>
            <td class="vt">
                <div class="post-menu"><a href="http://serverfault.com/questions/67014/smtp-dos-attacks-with-malformed-email-addresses/67036#67036" title="permalink to this answer">link</a><span class="lsep">|</span><a id="flag-post-67036" title="flag this post for serious problems">flag</a></div>
               
            </td>
            
            <td class="post-signature" align="right">
            <div class="user-info"><div class="user-action-time">edited <a href="http://serverfault.com/posts/67036/revisions" title="show all
edits to this post"><span title="2009-09-19 21:58:57Z" class="relativetime">Sep 19 '09 at 21:58</span></a></div><div class="user-details"><br></div></div>
            </td>
            
            <td class="post-signature owner" align="right">   
            <div class="user-info"><div class="user-action-time">answered
<span title="2009-09-19 21:50:10Z" class="relativetime">Sep 19 '09 at
21:50</span></div><div class="user-gravatar32"><a href="http://serverfault.com/users/19488/scott-lundberg"><img src="http://www.gravatar.com/avatar/7cd4abeedd6df6714aab89a196f56411?s=32&amp;d=identicon&amp;r=PG" alt="" height="32" width="32"></a></div><div class="user-details"><a href="http://serverfault.com/users/19488/scott-lundberg">Scott Lundberg</a><br><span class="reputation-score" title="reputation score">1,517</span><span title="1 gold badge"><span class="badge1"></span><span class="badgecount">1</span></span><span title="1 silver badge"><span class="badge2"></span><span class="badgecount">1</span></span><span title="10 bronze badges"><span class="badge3"></span><span class="badgecount">10</span></span></div></div>
            </td>
            </tr>
            </tbody></table>
        </td>
        </tr>
        

<tr>
<td class="votecell"><br></td>
<td>
    <div id="comments-67036" class="comments">
        <table>
        <tbody>
                    
    <tr id="comment-54041" class="comment">
        <td><br></td>
        <td class="comment-text"><div>So if the firewall sees an SMTP
553 from your server, it drops the connection? That seems like it will
do the job of killing the session, still though it doesn't prevent the
connection in the first place, but if it works then it works I guess. –&nbsp;<a href="http://serverfault.com/users/19152/joeqwerty" title="10220
reputation" class="comment-user">joeqwerty</a> <span class="comment-date"><span title="2009-09-19 22:16:33Z">Sep 19 '09 at
22:16</span></span></div></td>
    </tr>
            
    <tr id="comment-54042" class="comment">
        <td><br></td>
        <td class="comment-text"><div>Nice find, BTW. –&nbsp;<a href="http://serverfault.com/users/19152/joeqwerty" title="10220
reputation" class="comment-user">joeqwerty</a> <span class="comment-date"><span title="2009-09-19 22:17:39Z">Sep 19 '09 at
22:17</span></span></div></td>
    </tr>
            
    <tr id="comment-54043" class="comment">
        <td><br></td>
        <td class="comment-text"><div>Thanks Joe! I spent the better
part of two hours messing with it...  Yes, you are correct, the firewall
RSTs the connection if it sees a 553 5.1.8 response from our
mailserver.  This response indicates that the mailserver will not
deliver the message anyways, so dropping the connection should not
affect real messages... I hope.  I don't see a way to prevent the
connection in the first place since there is no way to tell what the
attacker is going to use for a sending mail address... –&nbsp;<a href="http://serverfault.com/users/19488/scott-lundberg" title="1517
reputation" class="comment-user owner">Scott Lundberg</a> <span class="comment-date"><span title="2009-09-19 22:33:21Z">Sep 19 '09 at
22:33</span></span></div></td>
    </tr>
            
    <tr id="comment-54044" class="comment">
        <td><br></td>
        <td class="comment-text"><div>YW. It's always nice to get that
sense of accomplishment when you find a solution to a problem. –&nbsp;<a href="http://serverfault.com/users/19152/joeqwerty" title="10220
reputation" class="comment-user">joeqwerty</a> <span class="comment-date"><span title="2009-09-19 22:37:54Z">Sep 19 '09 at
22:37</span></span></div></td>
    </tr>
            
    <tr id="comment-54093" class="comment comment-hover">
        <td><br></td>
        <td class="comment-text"><div>Very nice solution -- looks about
as elegant as can be working with what you've got.  If the IPs keep
changing there's no way to prevent the connection in the first place,
and this looks like it nips it in the bud pretty well. –&nbsp;<a href="http://serverfault.com/users/2302/nedm" title="1418 reputation" class="comment-user">nedm</a> <span class="comment-date"><span title="2009-09-20 04:46:00Z">Sep 20 '09 at 4:46</span></span></div></td></tr></tbody></table></div></td></tr></tbody></table><br><br>
頁: [1]
查看完整版本: sonicwall SMTP DOS attacks with malformed email addresses