The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need IMAP DOS attack help

Discussion in 'General Discussion' started by FreedomNet, Sep 1, 2005.

  1. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    We are getting reports from a couple of clients with a Denial of Service type of attack that keeps forcing IMAP service to terminate. We are seeing thousand's of entries in /var/log/secure like:
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31603 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31604 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31605 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31606 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31607 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31608 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31609 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31610 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31611 from=70.88.207.106
    Aug 31 17:28:11 server12 xinetd[30647]: START: imap pid=31612 from=70.88.207.106

    /var/log/maillog has tons of entries like:
    Aug 31 17:28:15 server12 imapd[31600]: Command stream end of file, while reading line user=??? host=70-88-207-106-madison-park-highschool-ne-ma.hfc.comcastbusiness.net [70.88.207.1
    Aug 31 17:28:20 server12 imapd[31594]: Null command before authentication host=70-88-207-106-madison-park-highschool-ne-ma.hfc.comcastbusiness.hfc.comcastbusiness.net [70.88.207.1
    Aug 31 17:28:20 server12 imapd[31594]: Null command before authentication host=70-88-207-106-madison-park-highschool-ne-ma.hfc.comcastbusiness.hfc.comcastbusiness.net [70.88.207.1
    Aug 31 17:28:20 server12 imapd[31594]: Command stream end of file, while reading line user=??? host=70-88-207-106-madison-park-highschool-ne-mahfc.comcastbusiness.net [70.88.207.1
    Aug 31 17:28:20 server12 imapd[31597]: Null command before authentication host=70-88-207-106-madison-park-highschool-ne-ma.hfc.comcastbusiness.hfc.comcastbusiness.net [70.88.207.1
    Aug 31 17:28:20 server12 imapd[31597]: Null command before authentication host=70-88-207-106-madison-park-highschool-ne-ma.hfc.comcastbusiness.hfc.comcastbusiness.net [70.88.207.1

    They come in from hundreds of different IP addresses so blocking the offending IP is not really an option.

    It appears that the IMAP service has a vulnerability that allows an attacker to start IMAP threads without a valid password. Then when they have consumed all the available threads, IMAP terminates.

    Any help or thoughts would be appreciated.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I've been seeing them too. I'm guessing it is because of the recent courier IMAP bug that was reported to bugtraq recently which the script kiddies have an exploit for and they're testing IMAP servers arbitrarily. I've found that once they have had their fun they move on and things settle down.

    In a way, you already have DOS protection and you're seeing it in action with xinetd blocking excessive connections, which it is meant to do, this isn't a vulnerability, it is how xinetd works. If you want to change the behaviour, you'll need to read up on how xinetd works and what options you have for configuring TCP Wrappers (which is what xinetd provides).

    Ultimately, you could also use iptables to rate limit access to port 143 too, though that's possible with tcp wrappers.
     
  3. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    How do I do this? What line do I add?
     
  4. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Please do not bump threads. There are plenty of iptables tutorials in the web, you'll have to use your initiative.
     
  6. FreedomNet

    FreedomNet Active Member

    Joined:
    Mar 29, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Guess we have not been as fortunate as you yet. We get hit 6 to 7 times a day and it has been going on for over a week.

    The concern is not with xinetd blocking excessive connections but that there is a way for people to take services down at all. Allowing the "script kiddies" to take down IMAP services is not acceptable and so we'll do some research in the "courier IMAP bug" you mentioned.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's both the advantage and the pitfall of using xinetd, though you should be able to tun it so that it doesn't fall over too readily (man xinetd.conf)

    The vulnerability I mentioned isn't in the IMAP server that cPanel uses, I was postulating that the attempts were simply a broad-brush attack on any IMAP servers with the hope of getting lucky.
     
Loading...

Share This Page