On 2022-04-26 at 07:09:41 UTC-0400 (Tue, 26 Apr 2022 11:09:41 +0000)
<pat...@patpro.net>
is rumored to have said:
Brute-forcing passwords/account as nothing to do with DDoS. Purpose of
brute(forcing password is gaining access to a service in order to
exploit it (steal data, send spam, etc.). Purpose of DDoS is to render
the service unavailable.
It's entirely possible to accidentally participate in a de facto DDoS by
being one of many simultaneous password-stuffing operations hitting the
same underlying system. They technically don't even do pure "brute
force" password scanning any more, as there is a huge stock of cheap
known-good username+password combos readily available to those willing
to test them in novel places.
Unless you run postfix on a 10 years old Raspberry, it can handle the
load.
Not always true.
A few score simultaneous connections attempting to authenticate,
failing, dropping, then reconnecting for another try can effectively gum
up a normally capable mail server to the point where users notice and
complain. It's uncommon for anyone to be using a 10yo Raspberry Pi for
email, but a 10yo general purpose computer isn't an uncommon choice.
Also, with the explosion of virtualization an increasing number of
utility servers are virtual machines provisioned for efficient resource
utilization and really can't take twice their normal peak load
comfortably.
Not advertising (or allowing) AUTH on port 25 helps reduce (but not
eliminate) AUTH attacks there, and it it usually safe to block huge
swathes of address space from connecting to ports where the attacks
might succeed. e.g. I don't have any reason to allow any packets aimed
at port 465/587/993/995/143/110 from any OVH, Digital Ocean, AWS, GCP,
China Mobile, Alibaba, or Azure ranges to machines that support POP,
IMAP, or initial mail submission. Fail2Ban isn't the tool for
implementing that sort of proactive blocking but it is very useful for
identifying hotspots of abuse for cheaper, more static approaches.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire