On Thu, 11 May 2023, Slavko via Exim-users wrote:
> Hi,
>
> i wonder about DDoS, i will try explain why in more descriptive,
> please aproximate my English...
>
> I have separate MSA exim, it autentificates users against dovecot
> and i use dovecot's Auth Policy daemon to do some checks before
> ligin itself.
>
> I am facing many login attempts (attacks) from ~100-200 different
> IPs daily, without any pattern in country/ASN/IP block. Most of them
> is properly identified by mentioned Auth Policy daemon, which
> prevents to real login. The dovecot shows in its logs something as
> "drop connection". That all works as excpected when IMAP login
> attempts happens.
>
> The problem is in exim. It gets (logs) "authenticator failed ..." line,
> that line contains "535 Incorrect authentication data ..." too. Then
> it responds that (i guess) to client, which never responds. The
> connection is then hold open, until timeout happens (in my case
> i lowered it to 60 sec). As attackers does that login attempts in
> waves 10-15 IPs in short time, here are multiple connections
> openned until timeout happens.
>
> They repeats login from the same IP only after relative long time
> (in days), thus blocking in FW doesn't solves that. I have some
> thousands IP in FW already, its count grows and currently blocks
> about 40-60 % of connections, but still many new IPs appears and
> that happens for about 2 years. I do not know if it is one or more
> attackers (bothets), but i guess that more groups trying me.
> By docs, the default smtp_accept_max is 20, i have set it higher
> value already, but that doesn't matter, as i see that attacker has
> many thousands IPs available. Thus i wonder, that it is able to reach
> that limit if it will want anytime, just by opening many connections
> and abandon them, thus effective run DDoS against MSA. I didn't
> meet that DDoS yet, but i wonder about it -- is my wondering
> real or am i too paranoid?
>
> I cannot find way, how to follow mentioned "drop connection" from
> Auth Policy daemon from authentificator, thus how to drop connection
> on **some** login attempts. I do not know if that is even possible,
> nor in exim, nor in dovecot. Please, is here way to drop these policy
> blocked logins to prevent connection timeouts?
I am working on adding incoming CLIENTID support -
https://www.ietf.org/archive/id/draft-storey-smtp-client-id-14.txt
- to exim. This will allow you to identify different client apps
and devices used by the same user, and should allow you to identify
and thus reject a connection *before* authentication (I need to double
check that this complies with the draft spec).
Assuming that this doesn't have the same timeout problem as
authentication, this may help.
CLIENTID is only useful as an addition to a user database
I don't currently have users, so will need help with that part
once the initial part is ready. I will extend the exim binary part;
helpers should "just" need to write exim config and a web interface to
distribute the CLIENTID tokens complete the CLIENTID implementation.
There is also a draft CLIENTID rfc for IMAP. Thunderbird supports both.
--
Andrew C. Aitchison Kendal, UK
andrew@???
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
