Squirrelmail as HS under DDOS attack

classic Classic list List threaded Threaded
6 messages Options
ml
Reply | Threaded
Open this post in threaded view
|

Squirrelmail as HS under DDOS attack

ml
Hi list! We run this service: https://ruggedinbox.com
and are using squirrelmail (and roundcube) as the webmail
published on both clearnet and darknet (as a Tor Hidden Service).

Since yesterday we are getting a lot of requests to the file:
src/redirect.php,
so many that they distrupt the service under Tor and give problems to
the web server (lighttpd).

Currently we have disabled squirrelmail, redirect.php requests are still
coming but they get a 404 file not found error
and services are up again.

The attack is targeting the HS, so we are getting traffic from Tor,
which is impossible to discriminate and filter (all requests looks like
they are coming from 127.0.0.1).

That said .. do you have any suggestions ?
What is the file redirect.php responsible for ?


Thanks for supporting!
RuggedInbox team

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Squirrelmail as HS under DDOS attack

Paul Lesniewski
> Since yesterday we are getting a lot of requests to the file:
> src/redirect.php
>
> The attack is targeting the HS, so we are getting traffic from Tor,
> which is impossible to discriminate and filter (all requests looks like
> they are coming from 127.0.0.1).
>
> That said .. do you have any suggestions ?
> What is the file redirect.php responsible for ?

This is most likely a brute force password guessing attack.  If you
simply inspect the login page code, you'd see that the form submit
goes to that URI.  Most providers use either webmail plugins (of
course vanilla RoundCube is just as susceptible) or MTA features to
mitigate such attacks.  squirrelmail.org offers several such plugins.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Squirrelmail as HS under DDOS attack

byrnejb

On Wed, December 24, 2014 12:36, Paul Lesniewski wrote:

>> Since yesterday we are getting a lot of requests to the file:
>> src/redirect.php
>>
>> The attack is targeting the HS, so we are getting traffic from Tor,
>> which is impossible to discriminate and filter (all requests looks like
>> they are coming from 127.0.0.1).
>>
>> That said .. do you have any suggestions ?
>> What is the file redirect.php responsible for ?
>
> This is most likely a brute force password guessing attack.  If you
> simply inspect the login page code, you'd see that the form submit
> goes to that URI.  Most providers use either webmail plugins (of
> course vanilla RoundCube is just as susceptible) or MTA features to
> mitigate such attacks.  squirrelmail.org offers several such plugins.
>

Or, you can install fail2ban and add the following to the indicated files:



# /etc/fail2ban/jail.local
# added HLL 2014-09-09
[squirrelmail]
enabled = true
port = http,https
filter = squirrelmail
action = iptables-multiport[name=SquirrelMail, port="http,https", protocol=tcp]
        sendmail-whois[name=SquirrelMail, dest=[hidden email],
sendername=Fail2Ban, sender=[hidden email]]
logpath = /var/log/squirrelmail.log
bantime = 300
maxretry = 5



#/etc/fail2ban/filter.d/squirrelmail.conf
# SquirrelMail Fail2Ban configuration file
[INCLUDES]

before = common.conf

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#         host must be matched by a group named "host". The tag "" can
#         be used for standard IP/hostname matching and is only an alias for
#         (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

failregex = \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT

ignoreregex =


The action specified in the jail.local configuration (iptables-multiport)
should already be defined in /etc/fail2ban/action.d.

Note this example is from a CentOS-6 (RHEL6) setup using Fail2Ban from the
epel repository.  Different distributions may place these files in differnet
locations.


--
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
ml
Reply | Threaded
Open this post in threaded view
|

Re: Squirrelmail as HS under DDOS attack

ml
In reply to this post by Paul Lesniewski
On 2014-12-24 17:36, Paul Lesniewski wrote:

>> Since yesterday we are getting a lot of requests to the file:
>> src/redirect.php
>>
>> The attack is targeting the HS, so we are getting traffic from Tor,
>> which is impossible to discriminate and filter (all requests looks
>> like
>> they are coming from 127.0.0.1).
>>
>> That said .. do you have any suggestions ?
>> What is the file redirect.php responsible for ?
>
> This is most likely a brute force password guessing attack.  If you
> simply inspect the login page code, you'd see that the form submit
> goes to that URI.  Most providers use either webmail plugins (of
> course vanilla RoundCube is just as susceptible) or MTA features to
> mitigate such attacks.  squirrelmail.org offers several such plugins.
>
> --
> Paul Lesniewski
> SquirrelMail Team
> Please support Open Source Software by donating to SquirrelMail!
> http://squirrelmail.org/donate_paul_lesniewski.php
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more.
> Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: [hidden email]
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users


Hi thanks for your suggestions, but since a Tor Hidden Service sees all
incoming traffic coming from 127.0.0.1, do you think that the mitigation
techniques will still work ?
An attacker can just use a cURL script, all the requests will be
identical to legit traffic.

Thanks for your comments,
RuggedInbox team


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|

Re: Squirrelmail as HS under DDOS attack

Jari Fredriksson

> On 2014-12-24 17:36, Paul Lesniewski wrote:
>>> Since yesterday we are getting a lot of requests to the file:
>>> src/redirect.php
>>>
>>> The attack is targeting the HS, so we are getting traffic from Tor,
>>> which is impossible to discriminate and filter (all requests looks
>>> like
>>> they are coming from 127.0.0.1).
>>>
>>> That said .. do you have any suggestions ?
>>> What is the file redirect.php responsible for ?
>>
>> This is most likely a brute force password guessing attack.  If you
>> simply inspect the login page code, you'd see that the form submit
>> goes to that URI.  Most providers use either webmail plugins (of
>> course vanilla RoundCube is just as susceptible) or MTA features to
>> mitigate such attacks.  squirrelmail.org offers several such plugins.
>>
>> --
>> Paul Lesniewski
>> SquirrelMail Team
>> Please support Open Source Software by donating to SquirrelMail!
>> http://squirrelmail.org/donate_paul_lesniewski.php
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming! The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more.
>> Take a
>> look and join the conversation now. http://goparallel.sourceforge.net
>> -----
>> squirrelmail-users mailing list
>> Posting guidelines: http://squirrelmail.org/postingguidelines
>> List address: [hidden email]
>> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
>> List info (subscribe/unsubscribe/change options):
>> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>
>
> Hi thanks for your suggestions, but since a Tor Hidden Service sees all
> incoming traffic coming from 127.0.0.1, do you think that the mitigation
> techniques will still work ?
> An attacker can just use a cURL script, all the requests will be
> identical to legit traffic.
>
> Thanks for your comments,
> RuggedInbox team
>

Why do you have such a service in the box in the first place? I have my
firewalls blocking all access from Tor in all of my servers.

--
jarif.bit



------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
ml
Reply | Threaded
Open this post in threaded view
|

Re: Squirrelmail as HS under DDOS attack [SOLVED]

ml
In reply to this post by ml
On 2014-12-27 18:15, [hidden email] wrote:

> On 2014-12-24 17:36, Paul Lesniewski wrote:
>>> Since yesterday we are getting a lot of requests to the file:
>>> src/redirect.php
>>>
>>> The attack is targeting the HS, so we are getting traffic from Tor,
>>> which is impossible to discriminate and filter (all requests looks
>>> like
>>> they are coming from 127.0.0.1).
>>>
>>> That said .. do you have any suggestions ?
>>> What is the file redirect.php responsible for ?
>>
>> This is most likely a brute force password guessing attack.  If you
>> simply inspect the login page code, you'd see that the form submit
>> goes to that URI.  Most providers use either webmail plugins (of
>> course vanilla RoundCube is just as susceptible) or MTA features to
>> mitigate such attacks.  squirrelmail.org offers several such plugins.
>>
>> --
>> Paul Lesniewski
>> SquirrelMail Team
>> Please support Open Source Software by donating to SquirrelMail!
>> http://squirrelmail.org/donate_paul_lesniewski.php
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming! The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media,
>> is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more.
>> Take a
>> look and join the conversation now. http://goparallel.sourceforge.net
>> -----
>> squirrelmail-users mailing list
>> Posting guidelines: http://squirrelmail.org/postingguidelines
>> List address: [hidden email]
>> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
>> List info (subscribe/unsubscribe/change options):
>> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>
>
> Hi thanks for your suggestions, but since a Tor Hidden Service sees all
> incoming traffic coming from 127.0.0.1, do you think that the
> mitigation
> techniques will still work ?
> An attacker can just use a cURL script, all the requests will be
> identical to legit traffic.
>
> Thanks for your comments,
> RuggedInbox team
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more.
> Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: [hidden email]
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options):
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

Hi, at the end we installed a couple of plugins to enable captchas on
both squirrelmail and roundcube
and the attack ceased immediately.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users