Protecting Mail Servers from DoS Attacks in Carbonio Community Edition | Carbonio CE

Previously, we talked about Postscreen, a solution that can protect the Carbonio mail server from automated spam mailings from botnets and compromised mail servers via the SMTP protocol, which can create a lot of inconvenience for users and administrators, and even lead to mail server failure. However, SMTP is not the only way to send multiple requests to Carbonio. To limit clients that are excessively active, Carbonio CE has a built-in DoS Filter. Read about what it is and how to use it to increase the security of your server in our article.

Denial of service (DoS) is a common type of attack on information infrastructure. Their goal is to crash the server by generating many requests that the server is unable to process in a reasonable time frame. The result is a long wait for a response from the server for its users or a denial of service when the client does not receive a response from the server.

Sometimes DoS attacks can be unintentional. For example, in cases where a client connects to a server using multiple email clients and starts pumping out their emails using them, it also creates an abnormally large load on the server, which can lead to reduced responsiveness of the service for other users, and which should also be limited.

Carbonio’s built-in DoS Filter runs on the Carbonio Proxy host and monitors client activity based on their IP addresses. If the number of requests per second from a specific IP address exceeds all reasonable limits, the client that connects from it receives a 503 error, and its requests stop reaching the mail storage.

DoS Configuration

The behavior of the DoS filter is configured on the command line using the following parameters:

zimbraHttpDosFilterMaxRequestsPerSec

Which defines the maximum number of requests that can come from one IP address per second.

zimbraHttpDosFilterDelayMillis

Which defines the number of milliseconds of delay that is applied to all requests exceeding the configured limit.

By default, the value of the zimbraHttpDosFilterMaxRequestsPerSec parameter is 100. That is, the maximum number of requests from one IP address should not exceed this value. The fate that awaits rejected requests is determined by the zimbraHttpDosFilterDelayMillis parameter. By default, it is equal to -1, that is, requests that do not fit into the established limit are simply rejected.

These values can be changed globally using the commands

carbonio prov modifyConfig zimbraHttpDosFilterMaxRequestsPerSec 150
carbonio prov modifyConfig zimbraHttpDosFilterDelayMillis 0

The zimbraHttpDosFilterDelayMillis parameter can have three values: -1, 0, and any other positive natural number. As already mentioned, -1 means not executing a request that did not meet the limit, 0 means executing it without delay, and other numbers indicate the amount of this delay.

Changing these settings may only be necessary on highly loaded systems where there is a high proportion of users using a common IP address to connect to the server. If you know the subnets from which a large number of legitimate requests are sent to the server, you can add them to the DoS Filter white list.

To create a whitelist with a specific IP address, use a command like

carbonio prov modifyConfig zimbraHttpThrottleSafeIPs 10.0.1.2/32

To create a whitelist with a specific subnet, use a command like

carbonio prov modifyConfig zimbraHttpThrottleSafeIPs 192.168.1.0/24

The existing white list can be supplemented with new addresses and subnets:

carbonio prov modifyConfig +zimbraHttpThrottleSafeIPs 192.168.100.0/24

Remove an address or subnet from the white list:

carbonio prov modifyConfig -zimbraHttpThrottleSafeIPs 192.168.100.0/24

View existing whitelist

carbonio prov getConfig -zimbraHttpThrottleSafeIPs

DoS Filter can be used as an alternative to Fail2Ban and a built-in solution to counteract the brute force of user passwords. Let us recall that Carbonio has a built-in mechanism that allows you to set up an account lock after a certain number of unsuccessful login attempts, but this mechanism also has its drawbacks, since in the event of a remote brute force attack on a mailbox, a legitimate user loses access to his mailbox. Using Fail2Ban allows you to set up monitoring of system logs in order to block not the mailbox, but the attacker’s IP address, but it is quite complicated to set up. Instead, you can use the DoS Filter settings, which also block the user by IP address after a series of unsuccessful login attempts.

Three parameters are responsible for the corresponding setting:

zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating

Which determines for how long the IP address of the attacker is blocked.

zimbraInvalidLoginFilterMaxFailedLogin

Which determines how many failed login attempts a user must make in order to be blocked

zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin

Which defines the limit interval within which unsuccessful entry attempts will be considered consecutive.

Configuration Example

carbonio prov modifyConfig zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating 25
carbonio prov modifyConfig zimbraInvalidLoginFilterMaxFailedLogin 5
carbonio prov modifyConfig zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin 5

In this example, the IP address of a user who entered the wrong password five times with an interval of less than 5 minutes between attempts is blocked for 25 minutes. After entering the settings, you will need to restart the mail server.

Carbonio Mobile DoS Filter is initially disabled but can be enabled by the administrator. It ensures that devices do not exceed the connection limit available to them per unit of time. In case of violation, the device is also blocked for a certain period.

Enabling and configuring Carbonio Mobile DoS Filter is done on the command line using the following commands:

mobileAntiDosServiceEnabled

Which turns the service on and off (false by default)

mobileAntiDosServiceJailDuration

Which is the duration of blocking (in milliseconds) of the device (default 600000 milliseconds)

mobileAntiDosServiceTimeWindow

Which is the time interval for estimating connection frequency (default 30000 milliseconds)

mobileAntiDosServiceMaxRequests

Which is a limit on the number of connection requests per device (Default 150)

This solution differs from the usual DoS-Filter in that it blocks the user not by IP address, but by device ID. By the way, when you restart the service using the carbonio mobile doRestartService anti-dos command, all locks, and counters are reset.

Configuration Example

carbonio config global set mobileAntiDosServiceEnabled true
carbonio config global set mobileAntiDosServiceJailDuration 60000
carbonio config global set mobileAntiDosServiceTimeWindow 15000
carbonio config global set mobileAntiDosServiceMaxRequests 100

This example enables the Carbonio Mobile DoS Filter service, which blocks for 1 minute any device that sends more than 100 connection requests within 15 seconds.

Thus, DoS Filter allows you to protect the server not only from attackers but also protects the server from additional loads that can be created by users when using the service too actively.