OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pavel Kankovsky (peakargo.troja.mff.cuni.cz)
Date: Sun Jul 15 2001 - 04:42:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, 12 Jul 2001 Valdis.Kletnieksvt.edu wrote:

    > I've seen multiple systems that don't understand the meaning of "required
    > delay before retry" as per RFC1123 - systems that in their normally broken
    > state will retry over and over and over. I can sympathize with your
    > 7x/sec - I once got hit by something that retried 10x/sec for about 2 days
    > before I finally found the owner and chastised them....

    I have seen a system failing to understand both the meaning of "required
    delay before retry" and the meaning of standard SMTP reply codes recently!
    The receiving MTA failed to accept some messages with 5xx after DATA, yet
    the system in question kept those messages in its queue and tried to send
    them again and again. It was MS Exchange (surprise) behind some
    unidentified kind of proxy (*). Fortunately, the rate was "only" 2 retries
    every 30 seconds (1 retry per 1 queued message) for cca 20 hours until
    it was stopped by a human intervention.

    I see a trend: Yesterday, the Internet was a happy place free of DoS
    attacks. Today, we suffer from a relatively small number of intentional
    DoS attack. Tomorrow, the whole Internet will collapse under a massive
    wave of accidental DoS attacks caused by braindead software written and
    configured by ignorant people. :P

    (*) As far as I remember, the proxy said something like
    "220-server.dns.name Connection Established\r\n220 ESMTP\r\n" when an SMTP
    connection was open to it and something including the client's DNS name
    when the connection was closed. I'd be grateful if anyone could identify
    that piece of software and tell me.

    --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."

    ----------------------------------------------------------------------------

    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see:

    http://aris.securityfocus.com