Reply to: Dave Marchette
Re: [IMail Forum] syn flood, Imail and service providers. on Monday 5:12:02 PM
Yes. I would not run Imail without ISS Real Secure or the original
Black Ice Server protection. It can block library attacks and almost
all common server attacks automatically.
It's not very expensive either. See:
http://blackice.iss.net/product_server_protection.php
--
Roger Heath
[EMAIL PROTECTED]
www.rleeheath.com
----- Copy of Original Message(s): -----
D> Greetings all,
D> Has anyone had this happen yet?
D> During a Syn flood attack, an attacker can attempt to saturate your link to\from
the Internet by sending spoofed syn packets to your edge router. If the attacker has
more bandwidth at his\her
D> disposal than you, then the DOS is due to link saturation. In such a case, one's
only defense is to contact the upstream service provider (at&t, Sprint or whoever you
use) and ask them to filter
D> requests on the port and IP being attacked. This will open the link back up to
normal traffic on all but the ports being attacked. Syn floods last anywhere from
several minutes to several weeks,
D> depending on how ferocious the attack, and how good the attacker is. Since the
nature of these attacks is that the originating IP can be spoofed, there is no
reliable way to trace back to the
D> attacker. A firewall can drop the syn packets(if it is capable of syn proxy),
protecting your server from the DOS but if your link is saturated, this may not be
enough. Imail's web server,
D> specifically, can barely handle a minimal load, much less a well orchestrated syn
attack(firewall is absolutely mandatory these days, especially when Imail is in the
mix, but it will_not_help if
D> your link is saturated by a conversation existing between your router and the
attacker).
D> If you are running an Imail server (an easily identifiable and high probability
target) and the attack is on one of your critical ports, like 25, 110, 80, or 443,
then you have to call the
D> upstream provider and have them filter on the port being attacked. This means that
no one on the internet will be able to hit the ports that are blocked.
D> This is becoming a very common attack. Two of our high end 45 meg ds-3 customers
were recently attacked in this way. Their ds-3's were saturated by syn packets. By
some lucky chance, the
D> attack was to ports that were not being used, and because of this it was easy to
call the upstream provider and have them block the ports to the IP being attacked,
freeing the link from
D> saturation. The attack lasted 18 days.
D> The question is this: If the attacker sent the syn flood to important ports, say
25 and 80, and the only defense was to block access to these ports way up stream, how
could you get back online
D> quickly? You could receive mail on your backup mx, but you could not send
mail(because the block is bidirectional...you'd have to loop all outgoing mail through
another imail server on another
D> IP, I suppose) nor could you use pop if the attack was on 110. Has anyone been
through this yet and if so, what creative methods did you use to defend yourself?
D> Dave
--
ActivatorMail(tm) ver.122102 Scanned for all viruses by
www.activatormail.com intelligent anti-virus anti-spam service
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
