[ale] Being used in a DOS attack against others

[Jonathan Rickman]

On 8 Aug 2002, Michael Hirsch wrote:

> Someone has been using our mail server to amplify a DOS attack against
> some other mail servers.  It works like this.  Then send a mail to
> randomuser at nubridges.com with a return address of attackedcompany.com.
> Since random user does not exist we send a reply that the user does not
> exit to attackedcompany's mail server.  So we flood their mail server.
>
> I've never seen this attack before, though it seems quite simiple.  Is
> this a well know DOS attack?  Has anyone else been experiencing this?
>
> It seems to have stopped this morning, but it was ongoing for the last
> two days.

That would be a somewhat inefficient was to generate a denial of service.
More than likely you have a spammer that is probing addresses in your
domain and just happened to pick the other company as his spoofed return
address. I suppose it's possible to generate a DoS if you send enough
email, and the other party host mail on a 56k dial up. However, the
attacker would first need to know that your mail server/connection speed
was that much greater than the other party.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.