9.1 Threat: Denial of service

The data and services in your infrastructure must be available for the people and business processes that rely on them. This applies not only to Exchange services but to the other services that support Exchange such as the AD, DNS, and the underlying network services. Since mission-critical systems must process data at an ever-increasing pace while at the same time servicing large populations of users, these systems are most vulnerable to attacks that prevent users from accessing services or data. In a messaging system, each activity (send, receive, browse, delete, move, and so forth) requires system resources, such as either processor, memory, and disk or network bandwidth, in order to complete. In addition, infrastructure services required by Exchange, such as DNS, GC service (AD lookup), domain controllers (authentication), and the network itself are also required. An attacker can target the Exchange server or any of these supporting servers by initiating a flood of activity against a particular server or device. Network bandwidth can be consumed, a DNS server can be disabled or flooded with requests, or malicious Internet users can overwhelm your Exchange servers with SMTP messages or connections to your Internet Message Access Protocol version 4 (IMAP4), Post Office Protocol version 3 (POP3), or Network News Transfer Protocol (NNTP) access to services. These attacks can debilitate your CPU and clog your virtual servers. Exchange allows you to accept or deny connections to your protocol virtual servers using lists of IP addresses and domain names that you specify. If your organization is continuously bombarded by an IP address or domain, you can explicitly deny access to that IP address or domain. Exchange uses reverse DNS lookup to check this list. All these scenarios could result in users and other services being denied access to services and data. The result could bring an Exchange organization to a halt. Finally, the ceaseless “parade” of Windows vulnerabilities in this threat area further increases this threat area for Exchange servers.

Denial-of-service (DoS) attacks can come in many forms and usually do not require a Ph.D. in computer science to instigate. Some of the most devastating attacks to date have required little expertise to produce. DoS attacks come at the network level as in the case of TCP “Syn” flooding or ICMP attacks in which floods of network packets hit a server or router, preventing legitimate clients from accessing required services. Clients are also susceptible to DoS attacks and should not be ignored when planning countermeasures to this potential threat. DoS attacks against an Exchange server most likely come in two forms. The first form is a virus-borne attack that results in DoS through viral replication. The other form comes against Exchange SMTP services in which an SMTP (or other protocol) virtual server is tied up servicing bogus mail traffic, while legitimate traffic cannot succeed. While this can occur against internal SMTP gateways, the attack is most commonly made against external Exchange SMTP services that are directly exposed (although usually inside a firewall) to the Internet. We will discuss this threat and the measures available to address this scenario in more detail later in this chapter.