On Thu, Jan 27, 2011 at 12:04:26PM -0500, Randy Ramsdell wrote:
>> 300s for each line as in: mail from: blah ---> 300s?
>
> What I am getting at here is that the attack will still succeed if using it
> for DOS. I am not trying trivialize this work, but understand how this will
> stop an attack vs. increase the time before the system is fully hosed.
With the new code Postfix timeouts will closely match the reasonable
naive expectations of system administrators. You can now make intuitive
estimates of how long a client can hog an SMTP connection, and keep
in mind that under load stress=yes, and the timers are shorter.
Yes, SMTP servers are not DDoS proof, nothing is, but this evolution
makes Postfix behaviour more deterministic and intuitive. This work does
not stop DDoS attacks, but remember that many DoS issues are from poorly
written clients, rather than deliberate large scale attacks.
--
Viktor.
