Protection against POP or IMAP Denial of Service (DOS)

Tue May 20 23:08:06 EDT 2008

On Wed, May 21, 2008 at 12:32:33AM +0200, Stéphane BERTHELOT wrote:
> But being recently attacked many times especially on POP3 service I am 
> looking for some advice or maybe making a feature request for some more 
> protection against DOS.

Gosh, I seem to be spending a lot of time pimping nginx here!  We get
protection against this sort of DOS for free (as well as load balancing
and etc) by having frontend servers running nginx as a proxy.

Nginx is compiled (on our 2.6.x kernels) with epoll support, so it can
handle bazillions of connections with the 8 processes it's configured to
use.  It also handles SSL (so the backend IMAP machines don't need to)
and deals with the connection up until the point where the user is
authenticated, at which stage it performs a login on the backend server
and links the connection through.

Compared to Perdition which was one-process-per-connection, this has
scaled amazingly well.  One medium spec machine can easily handle
(checks) about 7000 connections at the moment, and it scales to a lot
more than that during the US day.  That's with HTTP proxy, authenticated
SMTP injection, ftp server, lots of other things - and the frontend
machine is still barely using one of the 4 processor cores in it.

You could easily put nginx on your IMAP server directly if you didn't
want to dedicate a second machine to the job, and it would handle the
DOS risk for you.

I like this approach from a UNIX design perspective.  One service that
is designed for coping with DOS attacks and talking to the outside
world, and a separate service that is designed purely for actually
providing the service, rather than complicating it with DOS accounting
and tracking mechanisms.

Bron.