Next-Generation DoS at the Higher Layers: A Study of SMTP Flooding
In this paper, we study distributed denial of service (DDoS) attacksthat establish connections at the higher layers of the protocol stack, in order to maximize resource depletion on the targeted servers. In particular, we concentrate on attacks directed at SMTP applications on incoming mail servers. We first describe our experiments on the feasibility of such attacks on two widely used SMTP server applications: Microsoft Exchange 2010 and Postfix 2.8. The results show that both applications can survive relatively strong attacks, if configured properly. Although it was shown that Microsoft Exchange 2010 handles the attacks better than Postfix, both applications can benefit from hardened configurations.
In particular, we show the efficacy of their connection timeout mechanisms as a protection against this kind of DoS attack. We first show that default timeout parameters give weak protection for Postfix, but that Exchange’s default throttling policy makes attacks ineffective. We then statically modify the timeout value and other parameters in Postfix in order to measure their impact on the performance under an SMTP flood attack. The results obtained allow us to make recommendations about optimal configurations in terms of quality of service for legitimate clients.
KeywordsDefault Setting High Layer Client Connection Attack Strength Legitimate Client
Unable to display preview. Download preview PDF.
- 1.Postfix Documentation (2008), http://www.postfix.org/documentation.html
- 2.Postfix Stress Adaptive Documentation (2012), http://www.postfix.org/STRESS_README.html
- 3.Bencsath, B., Vajda, I.: Protection against DDoS attacks based on traffic level measurements. In: 2004 International Symposium on Collaborative Technologies and Systems, pp. 22–28 (2004)Google Scholar
- 4.Bencsath, B., Ronai, M.A.: Empirical analysis of denial of service attack against SMTP servers. In: 2007 International Symposium on Collaborative Technologies and Systems (2007)Google Scholar
- 5.Boteanu, D., Fernandez, J.M.: An exhaustive study of queue management as a DoS counter-measure. Tech. rep., École Polytechnique de Montréal (2008)Google Scholar
- 6.Boteanu, D., Fernandez, J.M., McHugh, J.: Implementing and testing dynamic timeout adjustment as a DoS counter-measure. In: Quality of Protection Workshop, QoP (2007)Google Scholar
- 8.Brodsky, A., Brodsky, D.: A distributed content independent method for spam detection. In: HotBots 2007: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 3. USENIX Association, Berkeley (2007)Google Scholar
- 11.Microsoft TechNet: Windows Reliability and Performance Monitor (2008), http://technet.microsoft.com/en-us/library/cc755081WS.10.aspx
- 12.Nagamalai, D., Dhinakaran, C., Lee, J.: Multi layer approach to defend DDoS attacks caused by spam. In: International Conference on Multimedia and Ubiquitous Engineering, MUE 2007, pp. 97–102. IEEE (2007)Google Scholar
- 13.Nagamalai, D., Dhinakaran, C., Lee, J.: Novel mechanism to defend DDoS attacks caused by spam. Arxiv preprint arXiv:1012.0610 (2010)Google Scholar
- 14.Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E.: DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In: Proceedings of 25th IEEE International Conference on Computer Communications, INFOCOM 2006, pp. 1–13 (2006)Google Scholar
- 15.Simpson, K., Bekman, S.: Fingerprinting the World’s Mail Servers (2007), http://www.oreillynet.com/pub/a/sysadmin/2007/01/05/fingerprinting-mail-servers.html
- 18.Still, M., McCreath, E.: Inferring relative popularity of SMTP servers. In: Proc. of the USENIX LISA (2007)Google Scholar
- 19.Still, M., McCreath, E.: DDoS protections for SMTP servers. International Journal of Computer Science and Security (IJCSS) 4(6), 537 (2011)Google Scholar
- 20.stillhq.com: SMTP survey results 2010 (2010), http://www.stillhq.com/research/smtpsurveys_feb2010.html