Am 26.10.2011 10:43, schrieb Steinar Bang:
Steinar Bang sb@dod.no: Timo Sirainen tss@iki.fi:
I don't know if I'm doing something wrong, but I can't even cause a DoS. Even while all imap-login processes are eating 100% CPU (almost 500 handshakes/second), I can successfully log in with another client.
Are you using the tool linked to in the article, to stress the server? http://www.thc.org/thc-ssl-dos/
Here's what the article says about stressing dovecot: "Alle servertjenester benytter SSL kan i utgangspunktet være berørt. Digi.no har testet verktøyet mot en eldre, intern server som kjører Linux. Angrepet mot Apache/HTTPD var mislykket, fordi SSL Renegotiation var deaktivert som standard. Men en angrep mot en POP3S-basert (kryptert e-post) tjeneste levert av serverprogramvaren Dovecot, kjørte CPU-lasten i taket med over tusen «handshakes» i sekundet. Angrepet førte ikke til at hele maskinen ble utilgjengelig, men POP3S-tjenesten ble i praksis ubrukelig så lenge angrepet varte."
A quick translate: All services using SSL can be affected. Digi.no has tested the tool against an old, internal server running Linux. The attach against Apache httpd failed, because SSL Renegotiation was deactivated by default. But an attach against a POP3S (encrypted email) service delivered by the server program Dovecot, ran the CPU-load into the roof with over a thousand "Handshakes" per second. The attack didn't cause the computer to be inaccessible, but the POP3S-service was unusable for the duration of the attack.
So it looks like they didn't test IMAPS access, only POP3S.
however wasnt it possible ever to stress any service via ddos ? this tool may only very effective in doing that
the most problem is see , not everybody can use fail2ban on his servers by keeping out dummy auth users over nat ( I have such case )
anyway ,firewalls should slow down ddos attacks, which might cause other problems then *g, but for sure not from one ip
just a few thoughts..,for sure ,best way would be, getting it fixed
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria