On 2022-04-26 at 07:09:41 UTC-0400 (Tue, 26 Apr 2022 11:09:41 +0000)
 <pat...@patpro.net>
is rumored to have said:

Brute-forcing passwords/account as nothing to do with DDoS. Purpose of brute(forcing password is gaining access to a service in order to exploit it (steal data, send spam, etc.). Purpose of DDoS is to render the service unavailable.

It's entirely possible to accidentally participate in a de facto DDoS by being one of many simultaneous password-stuffing operations hitting the same underlying system. They technically don't even do pure "brute force" password scanning any more, as there is a huge stock of cheap known-good username+password combos readily available to those willing to test them in novel places.

Unless you run postfix on a 10 years old Raspberry, it can handle the load.

Not always true.

A few score simultaneous connections attempting to authenticate, failing, dropping, then reconnecting for another try can effectively gum up a normally capable mail server to the point where users notice and complain. It's uncommon for anyone to be using a 10yo Raspberry Pi for email, but a 10yo general purpose computer isn't an uncommon choice. Also, with the explosion of virtualization an increasing number of utility servers are virtual machines provisioned for efficient resource utilization and really can't take twice their normal peak load comfortably.

Not advertising (or allowing) AUTH on port 25 helps reduce (but not eliminate) AUTH attacks there, and it it usually safe to block huge swathes of address space from connecting to ports where the attacks might succeed. e.g. I don't have any reason to allow any packets aimed at port 465/587/993/995/143/110 from any OVH, Digital Ocean, AWS, GCP, China Mobile, Alibaba, or Azure ranges to machines that support POP, IMAP, or initial mail submission. Fail2Ban isn't the tool for implementing that sort of proactive blocking but it is very useful for identifying hotspots of abuse for cheaper, more static approaches.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Reply via email to