Protection against POP or IMAP Denial of Service (DOS)

Tue May 20 18:32:33 EDT 2008

Hello everyone,

We are using Cyrus IMAP and POP daemons on many servers for quite some 
time (3+ years) and we're very satisfied with it for now.

But being recently attacked many times especially on POP3 service I am 
looking for some advice or maybe making a feature request for some more 
protection against DOS.

I have had a quick look at the code from version 2.3.12pl2 especially in 
imap/pop3d.c and I wonder about the way the pop3d daemon accepts commands.
If I am not too mistaken is seems to loop forever waiting for new 
commands until a "quit" or shutdown condition is encountered.
But the "Invalid Login" error (cmd_pass) does not seem to close 
connection or at least start a timeout.

Thus, a simple client trying to DOS one of our servers connected 
multiple times, not even really quickly but left connections open since 
after an "Invalid Login" error code the pop3d daemon keeps the 
connection open.
This way it is really easy to make a denial of service attack against a 
production server running cyrus pop3d. I fear there is the same kind of 
problem with imapd which also seem to keep connections open after a 
failed login attempt.

I read some solutions on this list before but I don't think they can be 
used correctly in an autonomous (which means I don't want to login and 
check everything everyday) production system.
- using iptables with "recent" module is the "less worst" solution to me 
since it limits connections per IP, but since we have sometimes clients 
NATed with hundred of users on same IP address it would not match 
correctly, still allowing an attacker to leave open a hundred of 
connection eating a bunch of our resources.
- using max child in cyrus.conf. It seems inappropriate to me since it 
will prevent legitimate users to connect while the attacker is 
performing, effectively denying service access during that time.
- increase security level (SSL/ CRAM-MD5/ ...). In a wonderful world it 
would be possible but I would bet (but I've not checked yet) that some 
of our users have pretty broken clients (like old Outl**k...) that would 
not be able to login anymore. Then we would be stuck or denying some 
service ourselves ...

The correct solution to me would be to allow some configuration 
directive or even a complex iptable rule that could close or timeout 
upon the status of the current connection. The logic may be quite 
simple, since only connections with bad login attempt would have to be 
closed. Since DOS could be done keeping connections open without trying 
to login, a timeout for this case should also be used.
A production system should certainly use a combination of those, I have 
no idea how to figure with iptables that the connection has a failed 
login attempt, or still hasn't logged in. It may be simpler to manage 
this directly within cyrus backend and allow configuration directives to 
protect large servers from this kind of DOS...
How do you protect your servers against this kind of easy (to me) way of 
sucking resources ?

I am pretty sure this kind of problem will arise more and more often in 
following weeks/months and an efficient DOS protection is always a good 
argument for a professional grade IMAP/POP3 solution as Cyrus IMAP.

Thanks for reading this long message, I hope you can help me fighting 
those DOS problems,

Regards,
Stephane Berthelot.

-- 
Stéphane BERTHELOT
EmisFR
- Réseau : Sécurité et Serveurs , Développements métier et spécifiques -
10 rue Mazagran, 54000 NANCY, France
http://www.emisfr.com
Tel/Fax. 03 83 32 25 75