[Dshield] Defense against server attacks

Chris Brenton cbrenton at chrisbrenton.org
Mon Dec 1 21:11:10 GMT 2003


On Mon, 2003-12-01 at 11:40, Jon R. Kibler wrote:

> For example, last night some clown launched a simple DOS attack against one of our MTAs. The fact the attack even occurred was not noticeable until we checked logs this morning and found an entry along the lines of:
> 	... did not issue MAIL/EXNP/VRFY/ETRN during connection to MTA
> 	... last message repeated 67076 times

I've seen a "blip" along the lines of what you are talking about:

maillog.11:Nov 21 01:03:24 mailgate sendmail[3565]: hAL63NEW003565:
h68-146-70-193.cg.shawcable.net [68.146.70.193] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:25 mailgate sendmail[3567]: hAL63OEW003567:
[221.124.11.52] did not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA
maillog.11:Nov 21 01:03:26 mailgate sendmail[3569]: hAL63QEW003569:
66-215-234-207.riv-eres.charterpipeline.net [66.215.234.207] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:26 mailgate sendmail[3571]: hAL63QEW003571:
pcp729294pcs.arlngt01.va.comcast.net [68.50.65.255] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:31 mailgate sendmail[3573]: hAL63VEW003573:
24-205-19-20.mpk-eres.charterpipeline.net [24.205.19.20] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:34 mailgate sendmail[3575]: hAL63YEW003575:
user-0cal1jj.cable.mindspring.com [24.170.134.115] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:34 mailgate sendmail[3577]: hAL63YEW003577:
24-161-19-118.hvc.rr.com [24.161.19.118] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:34 mailgate sendmail[3579]: hAL63YEW003579:
pcp729294pcs.arlngt01.va.comcast.net [68.50.65.255] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:35 mailgate sendmail[3581]: hAL63YEW003581:
pcp555077pcs.galitn01.tn.comcast.net [68.53.70.91] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:35 mailgate sendmail[3583]: hAL63ZEW003583:
pcp729294pcs.arlngt01.va.comcast.net [68.50.65.255] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
maillog.11:Nov 21 01:03:43 mailgate sendmail[3585]: hAL63hEW003585:
ool-18baee84.dyn.optonline.net [24.186.238.132] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA

A couple of things I found interesting. First, notice the preference
towards cable modem systems. This is a real surprise...not. ;-)

Also, the source has to complete a three packet handshake to get this
far (not a rudimentary SYN flood) so I'm guessing all the sources are
legit. This speaks to a number of 0wn3d boxes focused for performing the
attack. 

IMHO this is kind of a useless attack. My guess is someone is playing
around to see if its effective.

> Any thoughts on how to detect something like this while it is in progress and what can be done if such an attack is detected?

Without knowing the tool being used its hard to say. You could reject
the connection with a TCP RST or ICMP host unreachable which would limit
the number of packets for that session. This may simply cause that
session to continue to retry however, thus using up more bandwidth than
if you just let it happen. 

So beyond having your upstream do some filtering, there is not much you
can do. :(

C 





More information about the list mailing list