Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest.

Slides:

Advertisements

Similar presentations

Kalpesh Vyas & Seward Khem

Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.

Monks use computers to preserve their books. The information can be stored on CDs and uploaded to the Internet so that the whole world can learn from.

Introduction to Security Computer Networks Computer Networks Term B10.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

What is SpamSniper? SpamSniper is the leading security solution which locates in front of mail server to perform mail proxy, virus firewall and filter.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Extras Plus! Pepper. Objectives extra knowledge Cookies Picture handling when creating site.

High Speed Internet Access At Home Broadband Technologies Security Concerns Hardware/Software Solutions William Kramp 4/12/2001.

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Term 2, 2011 Week 1. CONTENTS Network communications standards – Ethernet – TCP/IP Other network protocols – The standard – Wireless application.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Spam Reduction Techniques Using greylisting and SpamAssassin.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

SIM334. Internet Comprehensive Protection Multi-Engine Antivirus and Multi layered continuously evolving Anti-spam In the Leader’s quadrant in the.

1 Computer Security: Protect your PC and Protect Yourself.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Your technology solution partner.™ Security Enterprise Protection Gener C. Tongco Product Manager CT Link Systems Inc.

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

May l Washington, DC l Omni Shoreham The ROI of Messaging Security JF Sullivan VP Marketing, Cloudmark, Inc.

Microsoft Office 2003 – Outlook 2003 features Bradley Witham Technical Services Supervisor ITS.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

IT:Network:Applications.  How messaging servers work  Initial tips for success Exchange management  Server roles  Exchange Server Management  Message.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.

Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.

Department of Computer Sciences The University of Texas at Austin Zmail : Zero-Sum Free Market Control of Spam Benjamin J. Kuipers, Alex X. Liu, Aashin.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

Computer project – computer virus 1D Christy Chan (9) Patricia Cheung (14)

Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

CS 3830 Day 5 Introduction 1-1. Announcements  Program 1 due today at 3pm  Program 2 posted by tonight (due next Friday at 3pm)  Quiz 1 at the end.

Protecting Privacy in WLAN with DoS Resistance using Client Puzzle Team 7 Yanisa Akkarawichai Rohan Shah CSC 774 – Advanced Network Security Prof. Peng.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Investigating the Performance of Audio/Video Service Architecture II: Broker Network Ahmet Uyar & Geoffrey Fox Tuesday, May 17th, 2005 The 2005 International.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

SpamAssassin An Introduction PacNOG I Workshop June 20, 2005 Nadi, Fiji Hervey Allen.

Manga comic industry security information presentation By Dominic Roofe.

Security Unix Mail Services David Funk Systems Administrators Computer Systems Support COE, University of Iowa.

LinxChix And Exim. Mail agents MUA = Mail User Agent Interacts directly with the end user  Pine, MH, Elm, mutt, mail, Eudora, Marcel, Mailstrom,

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar.

DoS/DDoS attack and defense

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

Computer Security By Duncan Hall.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Linux Operations and Administration Chapter Twelve Configuring a Mail Server.

Name: Peter Thomson Form: 10A.  You must make sure that you include the following in your presentation:  Transitions between slides.  Speaker notes.

Split your database Store temporary tables in a backend Don't use memo fields Create temporary tables to speed up queries Don't put Mac and Windows users.

[1] Control Spam by the Use of Greylisting Torgny Hallenmark LDC - Computing Center Lund University, Sweden TERENA Networking.

Smtp.ufl.edu Augmentation Project Stephen L. Ulmer CIS4914 April 13, 2004.

Secure Services Shared Hosted MS Exchange 2010.

Outlook / Exchange Training. Outlook / Exchange: Agenda What Can Microsoft Exchange Do / How works at UST? and Inbox Mailbox Quota Archiving.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Unit 4 IT Security.

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Firewalls Purpose of a Firewall Characteristic of a firewall

Presentation transcript:

Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics this is joint work with Miklós Aurél RÓNAI

Laboratory of Cryptography and System Security 2 Spam is a REAL problem today blue: SPAMgreen: Normal s (ham) time As of 03/27/2007 ~10-fold increase in number of spam

Laboratory of Cryptography and System Security 3 Why to measure performance?  Many servers are overloaded  Sometimes they even stop to respond or just restart (DoS situation)  We don’t know the performance of the server  As more and more spam arrives, we should expect more problems (DoS, etc.)  Can we deploy a successful DoS attack against the server easily?  Can we protect our server against DoS attacks?  How does the content filtering (virus- and spam filtering) affects the server?

Laboratory of Cryptography and System Security 4 Related work  Some information is available on performance, but it is not enough (sometimes no data on content filtering, or no real comparison, etc.)  Microsoft has a more complex test to calculate performance need in their Exchange architecture, but it is too complex. (we don’t want to analyze the performance of e.g. the calendar and address book)  Some information is available on the spam traffic and also some on DoS situations in SMTP servers, but not very informative  We tried to make some standard measurements to support our other research activity, e.g. DoS protection

Laboratory of Cryptography and System Security 5 The performance testing of SMTP is complicated  It’s hard to send s (complicated application, network connectivity can hang, resource consumption is high for random s (needed for testing spam engine))  It’s hard to coordinate the sending (starting the same time)  It’s hard to measure successful transfers  SMTP delivery it a multi-step process (explained later)  Too much overload can cause server to hang  Different SMTP servers can work in very different ways

Laboratory of Cryptography and System Security 6 SMTP delivery  The SMTP server gets a new message  The server puts it into a temporary queue -Sometimes it delivers without the temporary queue  The server sometimes/always/immediately/later checks the temporary queue and finds the -If the target server (or e.g. content filtering) is not responding, retry and retry timeout can occour -If the server is overloaded, the delivery process can be delayed  The server tries to deliver the message (or start content filtering) -Sometimes content filtering results in a new (dual smtp setup)

Laboratory of Cryptography and System Security 7 Phases of delivery during the test  Phase 1: SMTP server receives and delivers messages  Phase 2: SMTP server receives into temporary queue, no or low speed delivery  Phase 3: no SMTP mails received, just delivery from the queue  Our test server: 2800MHz, 1GB RAM

Laboratory of Cryptography and System Security 8 What was our approach  Load the server fully, but not to overload too much  Messages generated on multiple computers to avoid problems by resource problems on the tester computers  Coordination by IRC based ‘botnet’ architecture  Sending a large number of s and measuring the delivery time (and ensuring that the server runs under full load by delivery parameters)  Tried to measure performance in the different phases of delivery  Standard SMTP servers with standard content filtering  QMAIL, Postfix, Sendmail, Exim, MS Exchange  Amavisd-new, ClamAV-daemon, Spamassassin

Laboratory of Cryptography and System Security 9 Botnet

Laboratory of Cryptography and System Security 10 First results, no content filtering

Laboratory of Cryptography and System Security 11 Some data on delivery process

Laboratory of Cryptography and System Security 12 Delivery rate, without content filtering

Laboratory of Cryptography and System Security 13 Exim and queue_only_load  Queue_only_load parameter stops delivering s if the load average is too much  Without this paramter, delivery is continuous throughout the test  Results show that for the performance, this behaviour is not very important  Of course the parameter is important, e.g. to avoid DoS

Laboratory of Cryptography and System Security 14 Exim with content filtering Clamscan is not daemonized, Clamd is daemonized == always in memory Clamd is clearly faster Performance is down from 30 to 6.81/4.03 s/sec

Laboratory of Cryptography and System Security 15 Exim, virus+spam filtering Performance is down from 30->6->1.58 messages/sec

Laboratory of Cryptography and System Security 16 DoS? DoS! Test messages: body size of 4kb, random text Exim, virus+spam filtering = s/sec 1.58 s/sec*4kb=6.32 kb/sec payload, ~50kbps, with overhead ~64kbps Using only 64kbps we can overload an SMTP server with content filtering!

Laboratory of Cryptography and System Security 17 Future work  Our tests can be easily extended -other SMTP servers (e.g. kerio, mailgate etc.) -other content filtering tools (mailscanner, milters, COTS tools and products) -other spam engines (dspam, commercial products) -different parameter settings (e.g. spamassassin tests) -test parameters (attachments, size) (now random text 4kb) -other test approach (testing under heavy/low load etc.) -testing ‘appliance’ solutions. The main goal is completed: some basic information is now available about the possibility of overloading (DoS) and the performance of the server

Laboratory of Cryptography and System Security 18 Thanks Thank You!