[Dovecot] SSL renegotiation vulnerability

Robert Schetterer robert at schetterer.org
Wed Oct 26 12:01:51 EEST 2011

Am 26.10.2011 10:43, schrieb Steinar Bang:
>>>>>> Steinar Bang <sb at dod.no>:
>>>>>> Timo Sirainen <tss at iki.fi>:
>>> I don't know if I'm doing something wrong, but I can't even cause a
>>> DoS. Even while all imap-login processes are eating 100% CPU (almost
>>> 500 handshakes/second), I can successfully log in with another client.
>> Are you using the tool linked to in the article, to stress the server?
>>   http://www.thc.org/thc-ssl-dos/
> Here's what the article says about stressing dovecot:
>  "Alle servertjenester benytter SSL kan i utgangspunktet være
>   berørt. Digi.no har testet verktøyet mot en eldre, intern server som
>   kjører Linux. Angrepet mot Apache/HTTPD var mislykket, fordi SSL
>   Renegotiation var deaktivert som standard. Men en angrep mot en
>   POP3S-basert (kryptert e-post) tjeneste levert av serverprogramvaren
>   Dovecot, kjørte CPU-lasten i taket med over tusen «handshakes» i
>   sekundet. Angrepet førte ikke til at hele maskinen ble utilgjengelig,
>   men POP3S-tjenesten ble i praksis ubrukelig så lenge angrepet varte."
> A quick translate:
>   All services using SSL can be affected.  Digi.no has tested the tool
>   against an old, internal server running Linux.  The attach against
>   Apache httpd failed, because SSL Renegotiation was deactivated by
>   default.   But an attach against a POP3S (encrypted email) service
>   delivered by the server program Dovecot, ran the CPU-load into the
>   roof with over a thousand "Handshakes" per second.  The attack didn't
>   cause the computer to be inaccessible, but the POP3S-service was
>   unusable for the duration of the attack.
> So it looks like they didn't test IMAPS access, only POP3S.

however wasnt it possible ever to stress any service via ddos ?
this tool may only very effective in doing that

the most problem is see , not everybody can use fail2ban on his servers
by keeping out dummy auth users over nat ( I have such case )

anyway ,firewalls should slow down ddos attacks, which might cause other
problems then *g, but for sure not from one ip

just a few thoughts..,for sure ,best way would be, getting it fixed
Best Regards

MfG Robert Schetterer


More information about the dovecot mailing list