Presentation is loading. Please wait.

Presentation is loading. Please wait.

Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest.

Published byMeredith Elisabeth Harrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest."— Presentation transcript:

1 Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics http://www.crysys.hu/ this is joint work with Miklós Aurél RÓNAI

2 www.crysys.hu Laboratory of Cryptography and System Security 2 Spam is a REAL problem today blue: SPAMgreen: Normal e-mails (ham) time As of 03/27/2007 ~10-fold increase in number of spam

3 www.crysys.hu Laboratory of Cryptography and System Security 3 Why to measure performance?  Many e-mail servers are overloaded  Sometimes they even stop to respond or just restart (DoS situation)  We don’t know the performance of the server  As more and more spam arrives, we should expect more problems (DoS, etc.)  Can we deploy a successful DoS attack against the server easily?  Can we protect our server against DoS attacks?  How does the content filtering (virus- and spam filtering) affects the server?

4 www.crysys.hu Laboratory of Cryptography and System Security 4 Related work  Some information is available on performance, but it is not enough (sometimes no data on content filtering, or no real comparison, etc.)  Microsoft has a more complex test to calculate performance need in their Exchange architecture, but it is too complex. (we don’t want to analyze the performance of e.g. the calendar and address book)  Some information is available on the spam traffic and also some on DoS situations in SMTP servers, but not very informative  We tried to make some standard measurements to support our other research activity, e.g. DoS protection

5 www.crysys.hu Laboratory of Cryptography and System Security 5 The performance testing of SMTP is complicated  It’s hard to send e-mails (complicated application, network connectivity can hang, resource consumption is high for random emails (needed for testing spam engine))  It’s hard to coordinate the sending (starting the same time)  It’s hard to measure successful transfers  SMTP delivery it a multi-step process (explained later)  Too much overload can cause server to hang  Different SMTP servers can work in very different ways

6 www.crysys.hu Laboratory of Cryptography and System Security 6 SMTP delivery  The SMTP server gets a new message  The server puts it into a temporary queue -Sometimes it delivers without the temporary queue  The server sometimes/always/immediately/later checks the temporary queue and finds the e-mail -If the target server (or e.g. content filtering) is not responding, retry and retry timeout can occour -If the server is overloaded, the delivery process can be delayed  The server tries to deliver the message (or start content filtering) -Sometimes content filtering results in a new email (dual smtp setup)

7 www.crysys.hu Laboratory of Cryptography and System Security 7 Phases of delivery during the test  Phase 1: SMTP server receives and delivers messages  Phase 2: SMTP server receives into temporary queue, no or low speed delivery  Phase 3: no SMTP mails received, just delivery from the queue  Our test server: 2800MHz, 1GB RAM

8 www.crysys.hu Laboratory of Cryptography and System Security 8 What was our approach  Load the server fully, but not to overload too much  Messages generated on multiple computers to avoid problems by resource problems on the tester computers  Coordination by IRC based ‘botnet’ architecture  Sending a large number of emails and measuring the delivery time (and ensuring that the server runs under full load by delivery parameters)  Tried to measure performance in the different phases of delivery  Standard SMTP servers with standard content filtering  QMAIL, Postfix, Sendmail, Exim, MS Exchange  Amavisd-new, ClamAV-daemon, Spamassassin

9 www.crysys.hu Laboratory of Cryptography and System Security 9 Botnet

10 www.crysys.hu Laboratory of Cryptography and System Security 10 First results, no content filtering

11 www.crysys.hu Laboratory of Cryptography and System Security 11 Some data on delivery process

12 www.crysys.hu Laboratory of Cryptography and System Security 12 Delivery rate, without content filtering

13 www.crysys.hu Laboratory of Cryptography and System Security 13 Exim and queue_only_load  Queue_only_load parameter stops delivering e-mails if the load average is too much  Without this paramter, delivery is continuous throughout the test  Results show that for the performance, this behaviour is not very important  Of course the parameter is important, e.g. to avoid DoS

14 www.crysys.hu Laboratory of Cryptography and System Security 14 Exim with content filtering Clamscan is not daemonized, Clamd is daemonized == always in memory Clamd is clearly faster Performance is down from 30 to 6.81/4.03 e-mails/sec

15 www.crysys.hu Laboratory of Cryptography and System Security 15 Exim, virus+spam filtering Performance is down from 30->6->1.58 messages/sec

16 www.crysys.hu Laboratory of Cryptography and System Security 16 DoS? DoS! Test messages: body size of 4kb, random text Exim, virus+spam filtering = 1.58 e-mails/sec 1.58e-mails/sec*4kb=6.32 kb/sec payload, ~50kbps, with overhead ~64kbps Using only 64kbps we can overload an SMTP server with content filtering!

17 www.crysys.hu Laboratory of Cryptography and System Security 17 Future work  Our tests can be easily extended -other SMTP servers (e.g. kerio, mailgate etc.) -other content filtering tools (mailscanner, milters, COTS tools and products) -other spam engines (dspam, commercial products) -different parameter settings (e.g. spamassassin tests) -test e-mail parameters (attachments, size) (now random text 4kb) -other test approach (testing under heavy/low load etc.) -testing ‘appliance’ solutions. The main goal is completed: some basic information is now available about the possibility of overloading (DoS) and the performance of the server

18 www.crysys.hu Laboratory of Cryptography and System Security 18 Thanks Thank You! http://www.crysys.hu boldi@crysys.hu

Download ppt "Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest."

Similar presentations

Kalpesh Vyas & Seward Khem

Kalpesh Vyas & Seward Khem
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.

Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.

IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.
Monks use computers to preserve their books. The information can be stored on CDs and uploaded to the Internet so that the whole world can learn from.

Monks use computers to preserve their books. The information can be stored on CDs and uploaded to the Internet so that the whole world can learn from.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
What is SpamSniper? SpamSniper is the leading email security solution which locates in front of mail server to perform mail proxy, virus firewall and filter.

What is SpamSniper? SpamSniper is the leading security solution which locates in front of mail server to perform mail proxy, virus firewall and filter.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Email Extras Plus! Pepper. Objectives E-mail extra knowledge Cookies Picture handling when creating site.

Extras Plus! Pepper. Objectives extra knowledge Cookies Picture handling when creating site.
High Speed Internet Access At Home Broadband Technologies Security Concerns Hardware/Software Solutions William Kramp 4/12/2001.

High Speed Internet Access At Home Broadband Technologies Security Concerns Hardware/Software Solutions William Kramp 4/12/2001.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Term 2, 2011 Week 1. CONTENTS Network communications standards – Ethernet – TCP/IP Other network protocols – The 802.11 standard – Wireless application.

Term 2, 2011 Week 1. CONTENTS Network communications standards – Ethernet – TCP/IP Other network protocols – The standard – Wireless application.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Spam Reduction Techniques Using greylisting and SpamAssassin.

Spam Reduction Techniques Using greylisting and SpamAssassin.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
SIM334. Internet Comprehensive Protection Multi-Engine Antivirus and Multi layered continuously evolving Anti-spam In the Leader’s quadrant in the.

SIM334. Internet Comprehensive Protection Multi-Engine Antivirus and Multi layered continuously evolving Anti-spam In the Leader’s quadrant in the.

Similar presentations

Ads by Google