[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Asrg] Dictionary Attacks

Barry Shein <bzs at world.std.com> wrote:
> On November 17, 2008 at 16:47 davidnicol at gmail.com (David Nicol) wrote:
>> 
>> I'm wondering why World doesn't script a little log watcher that
>> identifies the source of dictionary attacks and drop all their packets
>> at the perimter for a few hours when they occur.
> 
> Of course we do that sort of thing, almost exactly that.

   This is a tactic _many_ ISPs have considered, and a good number have
implemented. It, of course, cannot fully protect against dictionary
attacks, because a dictionary attack can be distributed...

> But one gets a little frustrated when it's all of earthlink's (e.g.)
> servers which are being blocked most of the time.
> 
> Occasionally we've had to put in exceptions allowing them thru so mail
> customers want gets through.

   Indeed, Earthlink is one of the ISPs (by no means the worst) that
sends significant amounts of both abusive traffic and wanted traffic.
IMHO, Earthlink _does_ make efforts to limit abusive traffic.

   Earthlink _cannot_ avoid sending some abusive traffic. The question
is, what balance of good traffic to abusive traffic will receiving
SMTP servers tolerate? That, IMHO, is a balancing act where no two
receiving domains will have exactly the same parameters.

> Think about that: We have to put exceptions in to let their stuff
> through when they are behaving at their worst and tripping these log
> analyzers so much that customers are comlaining.

   My point, exactly!

> Here is a summary right this moment on one mail server, a few seconds
> sample:
> 
>   Unknown Users By Host:
>...
> Earthlink, OH YEAH, direct hit, CUT+PASTE, as always:
> 
> Nov 17 18:33:35 pcls5 sendmail[13516]: NOUSER: tracer3 relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
> Nov 17 18:33:38 pcls5 sendmail[13516]: NOUSER: tracer4 relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
> Nov 17 18:33:41 pcls5 sendmail[13516]: NOUSER: tracer5 relay=elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]
>...

   All very familiar to ISPs... :^(

   But perhaps not familiar to other readers of this list.

   I'd like to suggest a few principles:

1) ISPs like Barry have _really_ helpful information they could share;

2) neither Earthlink nor World can afford to have humans in the loop;

3) it is not helpful to argue which of them to blame;

4) there _could_ be value in an automated way to tell Earthlink about abuse;

5) any use of <abuse at earthlink.com> cannot serve that purpose;

   Now, a question for ASRG:

- can we design a _useful_ reporting scheme for, e.g., dictionary attacks?

--
John Leslie <john at jlc.net>
_______________________________________________
Asrg mailing list
Asrg at irtf.org
https://www.irtf.org/mailman/listinfo/asrg