[exim] Re: smtp_accept_max & DDoS

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Slavko
日付:  
To: exim-users
題目: [exim] Re: smtp_accept_max & DDoS
Dňa 12. mája 2023 11:56:18 UTC používateľ Jeremy Harris via Exim-users <exim-users@???> napísal:

>The _max option is there to cap the load imposed on the system;
>a DDOS is possible whether you have that cap or not (though a
>DOS become easier if you limit to lower than the ultimate
>system capability). It's not related to authentication,
>really, unless your system *only* handles MSA work.


I understad (i hope) that already. The DDoS i mean is not
load based, as connection limit will happen early. Most of
load on that host happens on email delivery (dovecot's
full text search indexing). I talk about DDoS based on
connections count by keeping open these pontless failed
logins attemts.

Defaults are 20 concurent connections and 5min timeout,
that limit can be easy reached with 1 conn per 15 sec,
keeping it open for that timeout. If one has botnet with
1000 IPs it can keep all server's connections up for more
than 4 hours without repeating from the same IP. Or in
other words, it can connect from one IP only once per
~4 hours and keep connections busy for long time, not
allowing to connect from real hosts... And that repeating
rate will remain unnoticed by many IDS/IPS... Or am i
wrong?

If we can prevent that timeout, the IP count or repeating
rate must be much higher to achieve the same result.
DDoS still possible, but less simple and better to detect...

Currently i have concurent connections under 5 all time,
as attacker mostly waits to get response and then try
from another IP after small pause. I have some delays too,
but they are conditional, if connections cross 25% of limit,
the delays drops to 0s, but that is really rare.

>One might imagine a per-port cap... but the implementation
>feels problematic at first glance; you really don't want to
>be doing an expensive expansion in the daemon loop.


No, that is not what i need. That host does MSA for public
access and MDA for my MX. The host_reserve (and so)
are enough for me yet. The MX (MTA) is on another host...
Beside the fact that i have public access to ports separated,
it is more simple to maintain ACLs (and others) for me.

>If your authenticator has an expansion which determines this
>policy condition, what happens if you use an acl expansion
>component which does a "drop"? I've not tried this; no
>idea if if functions.


Do you mean the server_condition option? AFAIK it will
not work with dovecot autentificator, as it is consulted
only after success authentification. Or do you mean
something else?

I know, that recently was added auth failed event, but it
is not in my version (4.94) yet, and i am not sure if it will
help with drop connection, as it is not documented in
current docs yet.

Anyway, i do not know if exim gets some extra info from
dovecot autentificator, which one can parse. I do not
know if dovecot pass it... Know someone that?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/