SMTP HELO Flood

An SMTP HELO flood is a layer 7 DDoS attack that aims to exhaust server resources by bombarding an SMTP server with repeated HELO commands, ultimately leading to a DoS state for the email services.

This DDoS attack takes advantage of the SMTP servers’ response mechanism by sending a rapid succession of HELO commands. The targeted server then dedicates resources to process and respond to each command, which can severely drain server resources when executed in large volumes.

When the victim server’s resources or bandwidth gets overwhelmed, it disrupts the normal flow of emails, preventing legitimate email traffic from being processed.

Differentiating SMTP HELO flood traffic from standard SMTP traffic can be challenging because both utilize standard SMTP commands.

Technical Analysis

Below is an analysis of an SMTP HELO flood attack targeting a single destination IP from a single attacking source IP:

Image 1 – Example of TCP connection

To send SMTP commands the client establishes a TCP connection to port 25.

Image 2 – Server responds with 220 code

After the threeway-handshake, the server responds with a “Service ready(220)” code indicating it is ready for other commands.

Image 3 – The client sends a HELO command

The client sends a HELO command with its domain as its Request parameter.

*The Request parameter will differ according to the attacker’s domain.

Image 4 – The server answers with 250 code

The server responds with a “Requested main action okay, completed (250)” code and its domain.

Image 5 – The client sends a QUIT command

The client sends a QUIT command in order to close the connection.

Image 6 – The Server closes the connection

The server sends a “Service closing transmission channel(221)”code. And proceed to close the TCP connection.

Image 7 – SMTP HELO flood stats

As seen in the image above. The capture analyzed is around 9.1 seconds, and the average number of packets per second is around 112 PPS, with a rate of around 0.057Mbps per second (considered low, the attack you are analyzing can be significantly higher).

Analysis of an SMTP HELO flood in Wireshark – Filters

Filter only SMTP protocol – “smtp”

filter only SMTP helo commands – “smtp.req.command == helo”

Go to Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of SMTP HELO Flood

*Note: IP’s have been randomized to ensure privacy.

Categories

Uncover & Eliminate DDoS Threats

Most Recent

MazeBolt RADAR™ DDoS Testing is now available in Microsoft Azure
At MazeBolt, our mission is to identify and enable remediation of all DDoS vulnerabilities ahead of time. We’re excited to announce our collaboration …read more

Understanding the efficiency of existing DDoS Mitigation
Analyze the existing DDoS Mitigation postures and their effectiveness against layer 3, layer 4 and layer 7 ddos attacks. Make sure that no DDoS vulnerabilities go undetected, ever ...read more

Most Common DDoS attacks
Learn about the different types of Layer 3, layer 4 and layer 7 DDoS attacks and the best practices to mitigate these attacks and lower risk to less than 2% ...read more