We recently (last night) saw an interesting variation of an SMTP dictionary attack. I'm reporting it here for two unique characteristics: 1) It was a temporary DOS against the victim server (despite SMTP RCPT throttling). It appeared that the initial connection was sending a huge volume of addresses in a single RCPT, and was aggressively initiating more RCPT connections. The connection rate throttle did trigger, but the sheer volume of bad recipients appeared to mean it was too late. 2) Rather than a traditional dictionary attack, a brute-force attack was used, starting with two-letter usernames, then moving on to three-letter names. Some combinations appeared to be missing, but basicly it was progressing though all alphabetic combinations. Interestingly, the "most significant letter" if you will appeared to be the rightmost, as in: aa ba ca da ... ab bb cb ... wz xz yz baa caa daa eaa .... They made it all the way to "xcfha" before I intervened. Source machine appears to be an AT&T cable modem. Appropriate AT&T contacts have been listed. Woke me up in the middle of the night, so I didn't spend much time in analysis, I just started dropping SMTP from that machine at the border. As an off-topic idea... if this becomes common, it would be awfully fun to poison their spamlist by pretending all of the addresses were valid :-). --Rich _________________________________________________________ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: rpuhekat_private _________________________________________________________ ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 12:52:15 PST