Wandering Thoughts archives

2007-09-12

Mass scanning via POP3

For our backwards compatibility sins, we have plain POP3 exposed to the general Internet. This morning, we discovered that our POP3 server had more or less locked up around 6:30 am, apparently because someone decided to open up hundreds of connections to it and perform a brute force mass account/password attempt.

(In fact it took down our IMAP server too, because we're running Dovecot. This is one of the annoying limitations of Dovecot; there is a central server process that has a couple of file descriptors for every active connection. Run out of file descriptors here and everything grinds to a halt.)

In retrospect, this makes a great deal of sense for the attacker, because POP3 is a great protocol to go after. Not only do you get to try brute-forcing plaintext passwords, but you don't even have to spend any time and effort on handling an encryption protocol the way you do with mass ssh scanning; it's all in plain ASCII. Some testing suggests that you can even pipeline the commands.

(You still need many parallel connections, because Dovecot pauses for a while after a failed password even thought this doesn't do anything effective.)

I've found myself wondering if the attacker might have been a would be spammer wanting to mine people's email for highly useful live addresses instead of a cracker looking for logins, since there is no guarantee that a POP3 account will get you a real login.

sysadmin/MassPOP3Attack written at 23:39:52; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.