Provoking Non-Delivery Notifications (NDN) as a Denial-of-Service (DoS) attack
Last revised: 18.06.2004
During the recent Sober.G / Sober.H attacks, one virus-infected computer sent a single 4 KB email to one mailserver, abusing one of our email addresses as the fake sender email-address. Since Sober.G / Sober.H requests copies of its mails to be sent to 40 additional made-up addresses at a time and most of these are invalid, whoever has his email address abused by Sober may end up with bounces (Non-Delivery Notifications, NDN). This is how we found out about the address abuse.
However in our case, we did not receive a single message saying the virus (that we had nothing to do with) could not be delivered to those fake addresses. No, we received 40 messages of a total size of 400 KB. A not too uncommon server configuration had increased network traffic 100-fold, through a combination of problems. It pointed out a real-life situation highlighted on 05-Apr-2004 in an article by Stefan Frei, Ivo Silvestri and Gunter Ollmann ("Mail Non Delivery Message DDoS Attacks""): Some of the most powerful mail servers on this planet are vulnerable to abuse. They can be readily abused as a weapon to flood any mailbox with megabytes and even gigabytes of junk data, overwhelming and crashing mail servers and disrupting communications. Here is what went wrong in the case we observed:
A combination of generating multiple bounces for a large number of invalid carbon copy addresses and attaching the complete original mail is dangerous. Unless such issues are addressed soon and on virtually all vulnerable mail servers, sooner or later someone will abuse this well-documented gaping security hole.
- The receiving mailserver did not verify and reject the recipient addresses during the SMTP conversation but accepted the mail. Therefore it was required to send "back" Non-Delivery Notifications instead of directly returning an error status to the real sender.
- The receiving mailserver converted a single mail with 40 recipients into 40 mails with one recipient each. As a side effect, it would generate 40 instead of 1 NDNs.
- Instead of just quoting the mail header, which provides all information to uniquely identify the message and its sender, it attached the complete message to each NDN. Abusing this behaviour by sending a 100 KB email with 100 bogus recipient addresses to the same server would dump 10 MB of junk into whatever mailbox was picked as the fake sender address.
- Even though with Sober.H the actual message body was tiny (a single line with a URL), the receiving mailserver added 6 KB of overhead to each NDN by being far too verbose in its notification text.
Mail Non Delivery Message DDoS Attacks" (Frei/Silvestri/Ollmann)
Mail-Server als Verstärker für DoS-Angriffe (Stefan Frei, heise.de)
Xenophobia, Spam and Viruses: The "German Spam"