Hello everyone, We are using Cyrus IMAP and POP daemons on many servers for quite some time (3+ years) and we're very satisfied with it for now. But being recently attacked many times especially on POP3 service I am looking for some advice or maybe making a feature request for some more protection against DOS. I have had a quick look at the code from version 2.3.12pl2 especially in imap/pop3d.c and I wonder about the way the pop3d daemon accepts commands. If I am not too mistaken is seems to loop forever waiting for new commands until a "quit" or shutdown condition is encountered. But the "Invalid Login" error (cmd_pass) does not seem to close connection or at least start a timeout. Thus, a simple client trying to DOS one of our servers connected multiple times, not even really quickly but left connections open since after an "Invalid Login" error code the pop3d daemon keeps the connection open. This way it is really easy to make a denial of service attack against a production server running cyrus pop3d. I fear there is the same kind of problem with imapd which also seem to keep connections open after a failed login attempt. I read some solutions on this list before but I don't think they can be used correctly in an autonomous (which means I don't want to login and check everything everyday) production system. - using iptables with "recent" module is the "less worst" solution to me since it limits connections per IP, but since we have sometimes clients NATed with hundred of users on same IP address it would not match correctly, still allowing an attacker to leave open a hundred of connection eating a bunch of our resources. - using max child in cyrus.conf. It seems inappropriate to me since it will prevent legitimate users to connect while the attacker is performing, effectively denying service access during that time. - increase security level (SSL/ CRAM-MD5/ ...). In a wonderful world it would be possible but I would bet (but I've not checked yet) that some of our users have pretty broken clients (like old Outl**k...) that would not be able to login anymore. Then we would be stuck or denying some service ourselves ... The correct solution to me would be to allow some configuration directive or even a complex iptable rule that could close or timeout upon the status of the current connection. The logic may be quite simple, since only connections with bad login attempt would have to be closed. Since DOS could be done keeping connections open without trying to login, a timeout for this case should also be used. A production system should certainly use a combination of those, I have no idea how to figure with iptables that the connection has a failed login attempt, or still hasn't logged in. It may be simpler to manage this directly within cyrus backend and allow configuration directives to protect large servers from this kind of DOS... How do you protect your servers against this kind of easy (to me) way of sucking resources ? I am pretty sure this kind of problem will arise more and more often in following weeks/months and an efficient DOS protection is always a good argument for a professional grade IMAP/POP3 solution as Cyrus IMAP. Thanks for reading this long message, I hope you can help me fighting those DOS problems, Regards, Stephane Berthelot. -- Stéphane BERTHELOT EmisFR - Réseau : Sécurité et Serveurs , Développements métier et spécifiques - 10 rue Mazagran, 54000 NANCY, France http://www.emisfr.com Tel/Fax. 03 83 32 25 75 ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
