Steinar Bang sb@dod.no: Timo Sirainen tss@iki.fi:
I don't know if I'm doing something wrong, but I can't even cause a DoS. Even while all imap-login processes are eating 100% CPU (almost 500 handshakes/second), I can successfully log in with another client.
Are you using the tool linked to in the article, to stress the server? http://www.thc.org/thc-ssl-dos/
Here's what the article says about stressing dovecot: "Alle servertjenester benytter SSL kan i utgangspunktet være berørt. Digi.no har testet verktøyet mot en eldre, intern server som kjører Linux. Angrepet mot Apache/HTTPD var mislykket, fordi SSL Renegotiation var deaktivert som standard. Men en angrep mot en POP3S-basert (kryptert e-post) tjeneste levert av serverprogramvaren Dovecot, kjørte CPU-lasten i taket med over tusen «handshakes» i sekundet. Angrepet førte ikke til at hele maskinen ble utilgjengelig, men POP3S-tjenesten ble i praksis ubrukelig så lenge angrepet varte."
A quick translate: All services using SSL can be affected. Digi.no has tested the tool against an old, internal server running Linux. The attach against Apache httpd failed, because SSL Renegotiation was deactivated by default. But an attach against a POP3S (encrypted email) service delivered by the server program Dovecot, ran the CPU-load into the roof with over a thousand "Handshakes" per second. The attack didn't cause the computer to be inaccessible, but the POP3S-service was unusable for the duration of the attack.
So it looks like they didn't test IMAPS access, only POP3S.