Abstract
In this paper, we study distributed denial of service (DDoS) attacksthat establish connections at the higher layers of the protocol stack, in order to maximize resource depletion on the targeted servers. In particular, we concentrate on attacks directed at SMTP applications on incoming mail servers. We first describe our experiments on the feasibility of such attacks on two widely used SMTP server applications: Microsoft Exchange 2010 and Postfix 2.8. The results show that both applications can survive relatively strong attacks, if configured properly. Although it was shown that Microsoft Exchange 2010 handles the attacks better than Postfix, both applications can benefit from hardened configurations.
In particular, we show the efficacy of their connection timeout mechanisms as a protection against this kind of DoS attack. We first show that default timeout parameters give weak protection for Postfix, but that Exchange’s default throttling policy makes attacks ineffective. We then statically modify the timeout value and other parameters in Postfix in order to measure their impact on the performance under an SMTP flood attack. The results obtained allow us to make recommendations about optimal configurations in terms of quality of service for legitimate clients.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Postfix Documentation (2008), http://www.postfix.org/documentation.html
Postfix Stress Adaptive Documentation (2012), http://www.postfix.org/STRESS_README.html
Bencsath, B., Vajda, I.: Protection against DDoS attacks based on traffic level measurements. In: 2004 International Symposium on Collaborative Technologies and Systems, pp. 22–28 (2004)
Bencsath, B., Ronai, M.A.: Empirical analysis of denial of service attack against SMTP servers. In: 2007 International Symposium on Collaborative Technologies and Systems (2007)
Boteanu, D., Fernandez, J.M.: An exhaustive study of queue management as a DoS counter-measure. Tech. rep., École Polytechnique de Montréal (2008)
Boteanu, D., Fernandez, J.M., McHugh, J.: Implementing and testing dynamic timeout adjustment as a DoS counter-measure. In: Quality of Protection Workshop, QoP (2007)
Boteanu, D., Fernandez, J.M., McHugh, J., Mullins, J.: Queue management as a DoS counter-measure? In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 263–280. Springer, Heidelberg (2007)
Brodsky, A., Brodsky, D.: A distributed content independent method for spam detection. In: HotBots 2007: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 3. USENIX Association, Berkeley (2007)
Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 370–375. ACM, New York (2004)
Luo, H., Fang, B., Yun, X.: Anomaly detection in SMTP traffic. In: ITNG 2006: Proceedings of the Third International Conference on Information Technology: New Generations, pp. 408–413. IEEE Computer Society, Washington, DC (2006)
Microsoft TechNet: Windows Reliability and Performance Monitor (2008), http://technet.microsoft.com/en-us/library/cc755081WS.10.aspx
Nagamalai, D., Dhinakaran, C., Lee, J.: Multi layer approach to defend DDoS attacks caused by spam. In: International Conference on Multimedia and Ubiquitous Engineering, MUE 2007, pp. 97–102. IEEE (2007)
Nagamalai, D., Dhinakaran, C., Lee, J.: Novel mechanism to defend DDoS attacks caused by spam. Arxiv preprint arXiv:1012.0610 (2010)
Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E.: DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In: Proceedings of 25th IEEE International Conference on Computer Communications, INFOCOM 2006, pp. 1–13 (2006)
Simpson, K., Bekman, S.: Fingerprinting the World’s Mail Servers (2007), http://www.oreillynet.com/pub/a/sysadmin/2007/01/05/fingerprinting-mail-servers.html
Srivatsa, M., Iyengar, A., Yin, J., Liu, L.: A middleware system for protecting against application level denial of service attacks. In: van Steen, M., Henning, M. (eds.) Middleware 2006. LNCS, vol. 4290, pp. 260–280. Springer, Heidelberg (2006)
Srivatsa, M., Iyengar, A., Yin, J., Liu, L.: Mitigating application-level denial of service attacks on web servers: A client-transparent approach. ACM Trans. Web 2(3), 1–49 (2008)
Still, M., McCreath, E.: Inferring relative popularity of SMTP servers. In: Proc. of the USENIX LISA (2007)
Still, M., McCreath, E.: DDoS protections for SMTP servers. International Journal of Computer Science and Security (IJCSS) 4(6), 537 (2011)
stillhq.com: SMTP survey results 2010 (2010), http://www.stillhq.com/research/smtpsurveys_feb2010.html
Xie, Y., Yu, S.Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. 17(1), 15–25 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cartier, G., Cartier, JF., Fernandez, J.M. (2013). Next-Generation DoS at the Higher Layers: A Study of SMTP Flooding. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-38631-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38630-5
Online ISBN: 978-3-642-38631-2
eBook Packages: Computer ScienceComputer Science (R0)