Next-Generation DoS at the Higher Layers: A Study of SMTP Flooding

  • Gabriel Cartier
  • Jean-François Cartier
  • José M. Fernandez
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


In this paper, we study distributed denial of service (DDoS) attacksthat establish connections at the higher layers of the protocol stack, in order to maximize resource depletion on the targeted servers. In particular, we concentrate on attacks directed at SMTP applications on incoming mail servers. We first describe our experiments on the feasibility of such attacks on two widely used SMTP server applications: Microsoft Exchange 2010 and Postfix 2.8. The results show that both applications can survive relatively strong attacks, if configured properly. Although it was shown that Microsoft Exchange 2010 handles the attacks better than Postfix, both applications can benefit from hardened configurations.

In particular, we show the efficacy of their connection timeout mechanisms as a protection against this kind of DoS attack. We first show that default timeout parameters give weak protection for Postfix, but that Exchange’s default throttling policy makes attacks ineffective. We then statically modify the timeout value and other parameters in Postfix in order to measure their impact on the performance under an SMTP flood attack. The results obtained allow us to make recommendations about optimal configurations in terms of quality of service for legitimate clients.


Default Setting High Layer Client Connection Attack Strength Legitimate Client 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Postfix Documentation (2008),
  2. 2.
    Postfix Stress Adaptive Documentation (2012),
  3. 3.
    Bencsath, B., Vajda, I.: Protection against DDoS attacks based on traffic level measurements. In: 2004 International Symposium on Collaborative Technologies and Systems, pp. 22–28 (2004)Google Scholar
  4. 4.
    Bencsath, B., Ronai, M.A.: Empirical analysis of denial of service attack against SMTP servers. In: 2007 International Symposium on Collaborative Technologies and Systems (2007)Google Scholar
  5. 5.
    Boteanu, D., Fernandez, J.M.: An exhaustive study of queue management as a DoS counter-measure. Tech. rep., École Polytechnique de Montréal (2008)Google Scholar
  6. 6.
    Boteanu, D., Fernandez, J.M., McHugh, J.: Implementing and testing dynamic timeout adjustment as a DoS counter-measure. In: Quality of Protection Workshop, QoP (2007)Google Scholar
  7. 7.
    Boteanu, D., Fernandez, J.M., McHugh, J., Mullins, J.: Queue management as a DoS counter-measure? In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 263–280. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Brodsky, A., Brodsky, D.: A distributed content independent method for spam detection. In: HotBots 2007: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 3. USENIX Association, Berkeley (2007)Google Scholar
  9. 9.
    Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 370–375. ACM, New York (2004)CrossRefGoogle Scholar
  10. 10.
    Luo, H., Fang, B., Yun, X.: Anomaly detection in SMTP traffic. In: ITNG 2006: Proceedings of the Third International Conference on Information Technology: New Generations, pp. 408–413. IEEE Computer Society, Washington, DC (2006)CrossRefGoogle Scholar
  11. 11.
    Microsoft TechNet: Windows Reliability and Performance Monitor (2008),
  12. 12.
    Nagamalai, D., Dhinakaran, C., Lee, J.: Multi layer approach to defend DDoS attacks caused by spam. In: International Conference on Multimedia and Ubiquitous Engineering, MUE 2007, pp. 97–102. IEEE (2007)Google Scholar
  13. 13.
    Nagamalai, D., Dhinakaran, C., Lee, J.: Novel mechanism to defend DDoS attacks caused by spam. Arxiv preprint arXiv:1012.0610 (2010)Google Scholar
  14. 14.
    Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E.: DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In: Proceedings of 25th IEEE International Conference on Computer Communications, INFOCOM 2006, pp. 1–13 (2006)Google Scholar
  15. 15.
    Simpson, K., Bekman, S.: Fingerprinting the World’s Mail Servers (2007),
  16. 16.
    Srivatsa, M., Iyengar, A., Yin, J., Liu, L.: A middleware system for protecting against application level denial of service attacks. In: van Steen, M., Henning, M. (eds.) Middleware 2006. LNCS, vol. 4290, pp. 260–280. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Srivatsa, M., Iyengar, A., Yin, J., Liu, L.: Mitigating application-level denial of service attacks on web servers: A client-transparent approach. ACM Trans. Web 2(3), 1–49 (2008)CrossRefGoogle Scholar
  18. 18.
    Still, M., McCreath, E.: Inferring relative popularity of SMTP servers. In: Proc. of the USENIX LISA (2007)Google Scholar
  19. 19.
    Still, M., McCreath, E.: DDoS protections for SMTP servers. International Journal of Computer Science and Security (IJCSS) 4(6), 537 (2011)Google Scholar
  20. 20. SMTP survey results 2010 (2010),
  21. 21.
    Xie, Y., Yu, S.Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. 17(1), 15–25 (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Gabriel Cartier
    • 1
  • Jean-François Cartier
    • 1
  • José M. Fernandez
    • 1
  1. 1.École Polytechnique de MontréalMontréalCanada

Personalised recommendations