Preventing SMTP Denial of Service Attacks from Specific IP Addresses

Technote (FAQ)


Question

Customers have reported instances where their Lotus Domino server was a target for an SMTP denial-of-service attack. The same IP address tried to open an SMTP connection over and over again:


    19.02.2003 21:13:44 SMTP Server: xxx.xxx.xxx.xxx connected

    19.02.2003 21:13:44 SMTP Server: xxx.xxx.xxx.xxx connected

    19.02.2003 21:13:44 SMTP Server: xxx.xxx.xxx.xxx connected


After a very long time, the SMTP server was able to disconnect these sessions:


    19.02.2003 22:13:05 SMTP Server: disconnected. 0 message[s] received

    19.02.2003 22:13:05 SMTP Server: disconnected. 0 message[s] received

    19.02.2003 22:13:05 SMTP Server: disconnected. 0 message[s] received


Changing the Configuration document to prohibit this IP address from connecting rejects the connection but does not prevent the attack:

    19.02.2003 22:23:37 SMTP Server [0860:0187-0B68] Connection from [xxx.xxx.xxx.xxx] rejected for policy reasons. Connecting host is denied in your configuration.

    19.02.2003 22:23:37 SMTP Server [0860:0188-0508] Connection from [xxx.xxx.xxx.xxx] rejected for policy reasons. Connecting host is denied in your configuration.

    19.02.2003 22:23:37 SMTP Server [0860:018C-0BB0] Connection from [xxx.xxx.xxx.xxx] rejected for policy reasons. Connecting host is denied in your configuration.

    19.02.2003 22:23:37 SMTP Server [0860:018A-0B54] Connection from [xxx.xxx.xxx.xxx] rejected for policy reasons. Connecting host is denied in your configuration.


Even with this setting, the SMTP task is so busy rejecting the connections that no new mail is able to be received. Is there any way to prevent these kind of attacks?

Answer

This issue has been reported to Lotus software Quality Engineering. Beginning in Domino 6.0.1, when the administrator detects this problem occurring, he can set one of two NOTES.INI parameters to stop accepting connections from specific IP addresses. For the R5 codestream, the addition of these INI parameters was done in Domino 5.0.13.


The parameters are as follows:

<Name>AllowAddresses = addresses
<Name>DenyAddresses = addresses

The value you use for <Name> is as follows:

  • For NRPC connections, use Server, so the parameter reads ServerAllowAddresses or ServerDenyAddresses.
  • For Internet service framework listeners (not the Web server), use the name of the Internet service, such as POP3AllowAddresses.

The value for addresses is a comma-separated list of IP addresses. Addresses can contain the asterisk as a wildcard for each part of the address. For example:
  • ServerAllowAddresses = 10.0.0.1, 10.0.*.2
  • POP3DenyAddresses = 10.0.0.1, 10.*.*.*

The first time such a NOTES.INI parameter is added to NOTES.INI the change is dynamic; that is, the server need not be restarted. If an additional change is made, the server must be restarted for this to take effect.

To find the IP address or addresses that the administrator wants to block, the administrator can use one of two methods:

1. On the server which you believe is under attack, enter the following console command:
    "show port tcpip"
    where the name of your TCP port is tcpip.
    This command lists all the current connections. If you see that there are many connections from a single IP address, that is probably the culprit.

2. The administrator can use a platform-specific tool such as NETSTAT to list all the active TCPIP connections and again look for a single IP address that is making the majority of the connections.

Without this NOTES.INI setting, for each TCPIP connection made, either a new thread is allocated/dispatched (for Internet servers) or a new session is created (for NRPC server). That new thread or session must now get context switched in, initialized, perform its read, detect that the connection has broken, and then dissolve itself. The cost to do this for a constant thousands and thousands of connections causes the single thread that accepts connections to get ahead of the many many threads that are trying to destroy them. So, we run out of virtual memory.

The change made in Domino 6.0.1 is a simple check for a NOTES.INI variable right at the point that a new connection has arrived in the single listening thread. If the patterns match, the connection is dropped before a new thread or session is even created. Since it's the single listening thread that is also dropping the bad connections it can never get behind. So when the attack occurs, CPU use can rise but not dangerously so and memory use is not affected at all.

Excerpt from the Lotus Notes and Domino Release 5.0.13 / 5.0.13a MR fix list (available at http://www.ibm.com/developerworks/lotus ):
  • SPR# JFOR5BNGUM - This fix provides the Administrator with two notes.ini variables to stop a denial of service attack on the network under certain circumstances. See technote #1105201 for complete details.


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Domino Server

Software version:

5.0, 6.0, 6.5

Operating system(s):

AIX, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1105201

Modified date:

2010-01-18

Translate my page

Machine Translation

Content navigation