1
Setting up DoS Abuse Detection
Question asked by James Chase - 8/20/2014 at 5:08 AM
Answered
Is anyone using the Denial of Service abuse detection for SMTP or any other protocols?
 
If so, do you have a recommended setup that won't flag casual users? I'm a bit clueless where to set these markers but it seems like it would be useful to have on

4 Replies

Reply to Thread
1
Bruce Barnes Replied
Marked As Answer
We have both the DDoS and Password Brute Force tests enabled on our own servers and several of our customers. 

While not perfect, they work pretty well and can log, and block, mal- behaving IP addresses for whatever period of time they are set to do so.

There are a couple of caveats related to their use:

1. Stopping and restarting the SmarterMail service, wipes out the table of blocked IP addresses;

2. Depending on the number of users in any given hosted domain, and depending on how many of them might be in a single location, and attempting to access SmarterMail simultaneously, it is very easy to create false positives for SMTP, POP and IMAP DDoS blocking filters. 

This is especially true where a single IP address or a PRIVATE IP address is used in an organization with a large number of individuals and can, without some aggressive monitoring and periodic re-adjustments, cause legitimate users to be periodically blocked from legitimate access to their SmarterMail servers.

Password Brute Force blocking tends to work much better because most users store their passwords in their desktop, tablet or smart phone clients at the time they build the settings for the account. 

In my personal experience, Password Brute Force issues, caused by legitimate users, are almost non-existent - almost set it and forget it: but MONITOR regularly to make certain the SmarterMail server is not at risk.  [HINT: Set your SMTP and DELIVERY LOGS to DETAILED and store several months worth of data so you can spot trends!]

More recent DDoS attacks are especially difficult to protect against because of the new technology used in the BOTS. 

These "snowshoe" attacks spread the threat over a large group of botnet servers, which, in some cases, do a small portion of the work and then actually communicate back to a "master server" or group or master servers as to any vulnerabilities found so the attack can be continued by another botnet, on another device, with a different IP address, which might be physically located in another country.

Information Weeks "Dark Reading" series had a particularly good article on fighting anonymous DDoS attacks.  The article can be read at: http://www.darkreading.com/vulnerabilities-and-threats/10-strategies-to-fight-anonymous-ddos-attacks/d/d-id/1102699?

Patrick Lambert, of Tech Republic, also wrote an interesting article on DDoS attacks.  Titled, "DDoS Attack Methods and How to Prevent or Mitigate Them," the article can be seen at: https://www.techrepublic.com/blog/it-security/ddos-attack-methods-and-how-to-prevent-or-mitigate-them/
 

Good Luck!
Bruce Barnes, ChicagoNetTech Inc
https://www.chicagonettech.com

 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Goran Jovanovic Replied
Bruce, 
 
We just had an interesting issue. Moved over a client to our SmarterMail and they ended up getting blocked by Password Brute Force detection or something like that. We whitelisted their company IP and seems that cleared it. 
 
However, how/where do we see what IPs are being blocked or greylisted or anything?
 
I have looked but have not found the appropriate spot.
 
Can you let me know
 
Thanks
Goran
0
Employee Replied
Employee Post
Goran, you can find the current IPs that are being blocked under System Admin->Manage->Current IDS Blocks. There is no listing or report for greylisted IPs.
1
Jaime Replied
Is there any way to see which email addresses/users generated those DOS POP or SMTP connections that caused the IP address blocking?

Reply to Thread