[Full-Disclosure] SMTP non delivery notification DoS/DDoS Attacks

From: Stefan Frei (stefan.frei_at_techzoom.net)
Date: 04/05/04

  • Next message: Carolyn Meinel: "[Full-Disclosure] A sucker is born every day"
    To: <full-disclosure@lists.netsys.com>
    Date: Mon,  5 Apr 2004 20:26:08 +0000
    
    

    Dear list members,

    My colleagues and I have been doing some research into a mail-related vulnerabilities over the last month or two. We discovered that a problem exists within the way non-delivery notifications are sent from many SMTP mail servers. This problem can be successfully (and rather easily) turned into an effective denial of service (DoS). The vulnerability affects many of the popular SMTP commercial offerings, but is dependant upon their configuration. In general, larger organisations tend to be more vulnerable.

    The authors had planned on releasing this analysis after the Easter break. Unfortunately we have noticed that a popular vulnerability discussion forum has already begun discussing the vulnerability in a such a fashion which may lead to attacks over the long weekend. Therefore we have found it necessary to release the paper sooner in an effort to allow developer and administrators to secure their SMTP mail services in time.

    This vulnerability appears to affect around 30% of our main study group (the Fortune 500), and has significance to all essential e-mail communications. The authors have proved that this vulnerability can be easily exploited and can be used to DoS almost any SMTP service on the Internet. By utilising multiple vulnerable STMP servers, a distributed DoS is possible, and can be used to cause the loss of mail services (and in extreme cases all Internet connectivity) to any organisation.

    Paper Abstract:
    Analysis of e-mail non-delivery receipt handling by live Internet-bound e-mail servers has revealed a common implementation fault that could form the basis of a new range of DoS attacks. Our research in the field of e-mail delivery revealed that mail servers may respond to mail delivery failure with as many non-delivery reports as there are undeliverable Cc: and Bcc: addresses contained in the original e-mail. Non-delivery notification e-mails generated by these systems often include a full copy of the original e-mail sent in addition to any original file attachments. This behaviour allows malicious users to leverage these mail server implementations as force multipliers and flood any target e-mail system or account.

    The paper is available from:

    http://www.techzoom.net/mailbomb

    --
    best regards 
    Stefan Frei
    --------------------------------------------------------------
    frei@techzoom.net [techzoom.net]
    --
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Carolyn Meinel: "[Full-Disclosure] A sucker is born every day"