[Dovecot] SSL renegotiation vulnerability
robert at schetterer.org
Wed Oct 26 12:01:51 EEST 2011
Am 26.10.2011 10:43, schrieb Steinar Bang:
>>>>>> Steinar Bang <sb at dod.no>:
>>>>>> Timo Sirainen <tss at iki.fi>:
>>> I don't know if I'm doing something wrong, but I can't even cause a
>>> DoS. Even while all imap-login processes are eating 100% CPU (almost
>>> 500 handshakes/second), I can successfully log in with another client.
>> Are you using the tool linked to in the article, to stress the server?
> Here's what the article says about stressing dovecot:
> "Alle servertjenester benytter SSL kan i utgangspunktet være
> berørt. Digi.no har testet verktøyet mot en eldre, intern server som
> kjører Linux. Angrepet mot Apache/HTTPD var mislykket, fordi SSL
> Renegotiation var deaktivert som standard. Men en angrep mot en
> POP3S-basert (kryptert e-post) tjeneste levert av serverprogramvaren
> Dovecot, kjørte CPU-lasten i taket med over tusen «handshakes» i
> sekundet. Angrepet førte ikke til at hele maskinen ble utilgjengelig,
> men POP3S-tjenesten ble i praksis ubrukelig så lenge angrepet varte."
> A quick translate:
> All services using SSL can be affected. Digi.no has tested the tool
> against an old, internal server running Linux. The attach against
> Apache httpd failed, because SSL Renegotiation was deactivated by
> default. But an attach against a POP3S (encrypted email) service
> delivered by the server program Dovecot, ran the CPU-load into the
> roof with over a thousand "Handshakes" per second. The attack didn't
> cause the computer to be inaccessible, but the POP3S-service was
> unusable for the duration of the attack.
> So it looks like they didn't test IMAPS access, only POP3S.
however wasnt it possible ever to stress any service via ddos ?
this tool may only very effective in doing that
the most problem is see , not everybody can use fail2ban on his servers
by keeping out dummy auth users over nat ( I have such case )
anyway ,firewalls should slow down ddos attacks, which might cause other
problems then *g, but for sure not from one ip
just a few thoughts..,for sure ,best way would be, getting it fixed
MfG Robert Schetterer
More information about the dovecot