Lotus Domino DoS solution

From: Radoslav Dejanović (radoslav.dejanovicat_private)
Date: Thu Aug 23 2001 - 00:31:37 PDT

Next message: Mihai PETROV: "RE: OWA over ssl shutting down IIS"

Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2001-013: OpenSSL PRNG weakness (up to 0.9.6a)"
In reply to: Ian Gulliver: "Lotus Domino DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> where domain.com is not local to the server in question,
> the server attempts to bounce the message, and the bounce
> goes into a loop, constantly being sent back to the same
> server.

There is "Solution v1.0pl1" for this.

Open Domino Administrator and connect to your Domino server.
Click on the "Configuration" tab, then on the left pane expand "Messaging"
submenu, select "Configurations". On the right pane select your server to
open
it's configuration panel.

Now, you'll be presented with new window named "Configuration for
server/DOMAIN"
There's a row of tabs on the top; select "Router/SMTP". You'll be presented
with more
tabs. Select "Restrictions and Controls" tab to get even more tabs. :-)

What you need is "SMTP Inbound Controls". There's a field under the section
"Inbound Sender Controls"
named "Deny messages from the following internet address/domains".
Put the IP in that address, enclosed in brackets - [127.0.0.1]. Note that
you can put more than
one IP address there (i.e. your localhost and your real IP), but each must
be enclosed in it's own brackets.

This is the slight change from my previous post (rejected anyway :-) - I
made a mistake by selecting "Inbound Connection Controls" instead, which
doesn't check for senders e-mail (what is really needed here, since From:
field generates trouble, not the inbound connection; credit for the fix
goes to pero.vukojevicat_private).

We tested this, and it rejects inbound connection made from address
user@[127.0.0.1] with the nice message in the log:

> 22.08.2001 17:10:32 SMTP Server: 10.11.8.110 connected
22.08.2001 17:10:32 SMTP Server [0624:0004-0200] Mail from
bounce@[127.0.0.1]
rejected for policy reasons. Sender is denied in your configuration.

This workaround can save you from DoS attacks (I've been told of at least
one such attack recently on local Domino servers here), you can even use it
in the middle of an attack to stop it.
If you're already attacked and the message bounces around, you don't need
to shut down entire server, just stop mail services, delete the message
from the queue and start services again.

Note: this workaround is tested just for the reported vulnerability. This
shouldn't break anything, but be careful implementing this if your Domino
server is not the main/only mail service at your location. If you encounter
problem, you can fix it easily by removing the value from the field, but in
any case Microsoft-like EULA is applied to this message. ;-)

Next message: Mihai PETROV: "RE: OWA over ssl shutting down IIS"
Previous message: NetBSD Security Officer: "NetBSD Security Advisory 2001-013: OpenSSL PRNG weakness (up to 0.9.6a)"
In reply to: Ian Gulliver: "Lotus Domino DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 07:03:34 PDT