Auteur: Cyborg Datum: Aan: exim-users Onderwerp: Re: [exim] Exim (aoom) named in context of new TLS cross-protocol
attack
Am 09.06.21 um 22:03 schrieb Heiko Schlittermann via Exim-users: > Cyborg via Exim-users <exim-users@???> (Mi 09 Jun 2021 21:13:43 CEST):
>> Don#t get me wrong, exim is at the top of this "best of the worse" list,
>> because it stops after 3 retriesm but other server like proftpd have already
>> reacted to this by implementing countermeasures. This can also be seen in
>> the mentioned figure.
> The "3" is configurable:
>
> |smtp_max_synprot_errors|Use: main|Type: integer|Default: 3|
>
> So, if you worry about the abuse of your bandwidth and your Exim server,
> then set this to zero. Should be enough to not be a part of this attack
> vector, shouldn't it?
>
In the article, a reflextion attack is mentioned, so i may be important
what's coming back from the server. It may not be enough to just react
only once, but we will see, when more information is revealed.
I'm trying to get more infos about that attack vector from the german
universities which found it, and will make some tests if possible, so we
see what we actually have to defend against.