pop3d exploit

[Mirosław Jaworski]

On Tue, 2007-01-30 at 15:11 -0600, Vernon A. Fort wrote:
> The connections to the pop3d were from ONE specific host which had 525 
> connections within 20 minutes.

That's merely connection every 2 seconds.
That shouldn't be a big deal, unless connections were left open 
and idle on purpose.
Medium size office sitting behind a NAT can easily do that.

> Around 20 minutes after the first 
> badlogin from this host is when the "Too many open files" started 
> appearing.  It appears to be a DoS attach which just overwhelmed the 
> server.

Anyway if that's the anomaly you found it may be it. 

> I added a maxchild=30 to the cyrus.conf pop2 SERVICES.

That's the one limit one should have.
For more detailed limits ( like sessions per ip, new connections per ip
in period of time and so on ) you may want to take a look at bsd packet
filter.

M.

-- 
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
         "Veni, Vedi, Visa: I came. I saw. I did a little shopping."