Next-generation DoS at the higher layers: A study of SMTP flooding

Abstract

In this paper, we study distributed denial of service (DDoS) attacksthat establish connections at the higher layers of the protocol stack, in order to maximize resource depletion on the targeted servers. In particular, we concentrate on attacks directed at SMTP applications on incoming mail servers. We first describe our experiments on the feasibility of such attacks on two widely used SMTP server applications: Microsoft Exchange 2010 and Postfix 2.8. The results show that both applications can survive relatively strong attacks, if configured properly. Although it was shown that Microsoft Exchange 2010 handles the attacks better than Postfix, both applications can benefit from hardened configurations. In particular, we show the efficacy of their connection timeout mechanisms as a protection against this kind of DoS attack. We first show that default timeout parameters give weak protection for Postfix, but that Exchange's default throttling policy makes attacks ineffective. We then statically modify the timeout value and other parameters in Postfix in order to measure their impact on the performance under an SMTP flood attack. The results obtained allow us to make recommendations about optimal configurations in terms of quality of service for legitimate clients. © 2013 Springer-Verlag.