Pop3 DoS

T

turbo2ltr

Member
Twice now i've been hit with a DoS attack on the pop3 port which will crahs the mail server.

Maybe im doing something wrong but i added the IP to the iptables via the PPP and. The attack continued (i tailed the maillog). I put the ip in the iptables to reject any destination and inserted it at the top of the list.

i finnally had to add a null route to make it stop.

Any input on how this can be averted? Or why iptables would not immediately stop the attack?
 
1) if after adding a rule to iptables there're still packets coming through then something is wrong with the rule,

2) in common case one cannot stop DoS attack with iptables. In order for a packet to
be processed by filter this packet must be accepted first by the network interface. It must be 'processed' before reaching filter - ie. packet goes through scheduler(qdisc), nat, mangle etc.
google 'iptables packets flow' to get details.
With high rate of incoming packets your server might use all the resources just for "initial processing" of those packets.
 
Maybe "DoS" isn't quite what it was. The server was fine, but the mail server process reached it's connection limit, which triggered cpanel to email me that it couldn't connect.

What I did was I was watching the maillog, here is an example of what was happening

Code: 
May 11 19:15:39 host1 pop3d: Disconnected, ip=[::ffff:24.42.138.24]
May 11 19:15:40 host1 pop3d: Connection, ip=[::ffff:24.42.138.24]
May 11 19:15:40 host1 pop3d: LOGOUT, ip=[::ffff:24.42.138.24]
May 11 19:15:40 host1 pop3d: Disconnected, ip=[::ffff:24.42.138.24]
May 11 19:15:40 host1 pop3d: Connection, ip=[::ffff:24.42.138.24]
May 11 19:15:41 host1 authdaemond: Failed to getpwnam for user access1
May 11 19:15:41 host1 pop3d: LOGIN FAILED, user=access1, ip=[::ffff:24.42.138.24]
May 11 19:15:41 host1 pop3d: LOGOUT, ip=[::ffff:24.42.138.24]
May 11 19:15:41 host1 pop3d: Disconnected, ip=[::ffff:24.42.138.24]
May 11 19:15:42 host1 pop3d: Connection, ip=[::ffff:24.42.138.24]
May 11 19:15:42 host1 authdaemond: Failed to getpwnam for user accent1
May 11 19:15:42 host1 pop3d: LOGIN FAILED, user=accent1, ip=[::ffff:24.42.138.24]
May 11 19:15:45 host1 pop3d: Connection, ip=[::ffff:24.42.138.24]
May 11 19:15:45 host1 authdaemond: Failed to getpwnam for user account1
May 11 19:15:45 host1 pop3d: LOGIN FAILED, user=account1, ip=[::ffff:24.42.138.24]
May 11 19:15:46 host1 pop3d: LOGOUT, ip=[::ffff:24.42.138.24]
May 11 19:15:46 host1 pop3d: Disconnected, ip=[::ffff:24.42.138.24]
May 11 19:15:46 host1 pop3d: Connection, ip=[::ffff:24.42.138.24]
May 11 19:15:46 host1 authdaemond: Failed to getpwnam for user access1
May 11 19:15:46 host1 pop3d: LOGIN FAILED, user=access1, ip=[::ffff:24.42.138.24]
May 11 19:15:47 host1 pop3d: LOGOUT, ip=[::ffff:24.42.138.24]
May 11 19:15:47 host1 pop3d: Disconnected, ip=[::ffff:24.42.138.24]
May 11 19:15:48 host1 pop3d: Connection, ip=[::ffff:24.42.138.24]
May 11 19:15:49 host1 pop3d: LOGIN FAILED, user=accent1, ip=[::ffff:24.42.138.24]
May 11 19:15:50 host1 pop3d: LOGOUT, ip=[::ffff:24.42.138.24]
May 11 19:15:50 host1 pop3d: Disconnected, ip=[::ffff:24.42.138.24]
May 11 19:15:51 host1 pop3d: LOGOUT, ip=[::ffff:24.42.138.24]
May 11 19:15:51 host1 pop3d: Disconnected, ip=[::ffff:24.42.138.24]
May 11 19:15:52 host1 pop3d: Connection, ip=[::ffff:24.42.138.24]
May 11 19:15:52 host1 authdaemond: Failed to getpwnam for user account1
May 11 19:15:52 host1 pop3d: LOGIN FAILED, user=account1, ip=[::ffff:24.42.138.24]

I created an entry in PPP that looked like the attached image.

It did nothing, the mail log continued with more of the above.

Checking iptables directly, I see
Code: 
REJECT     tcp  --  static-24-42-138-24.knology.net  anywhere            reject-with icmp-port-unreachable

I finally did this:

/sbin/route add -host 24.42.138.24 reject

And that stopped the connections.

I guess I'll read up on what you posted (Thank you!) and see, but it makes no sense to me that packets can get through to the pop3 daemon when the firewall should be blocking them. I'm guessing it's user error, but I just don't know what.

Thanks,
Mike
 

Attachments

  • firewall.jpg
    firewall.jpg
    3.4 KB · Views: 1
1) I would use DROP instead of REJECT. REJECT still uses resources to send the icmp packet back
2) Unfortunately single line won't help. For example there could have been 'accept from world to pop3' rule before this one. Also, '-n' and '-v' options would have been very helpful because for example it is unclear what is 'direction' - ie. is 'anywhere' source or destination, it is unclear if static-24-42-138-24.knology.net indeed is 24.42.138.24 - it might be any other IP address with PTR record pointing to static-24-42-138-24.knology.net

Code: 
/sbin/iptables -I INPUT 1 -p tcp -s 24.42.138.24 --dport 110 -j DROP
/sbin/iptables -I INPUT 2 -p tcp -s 24.42.138.24 --dport 995 -j DROP

should take care of the problem - but only if popper listens on default ports.
 
You must log in or register to reply here.
Top