An SMTP HELO flood is a layer 7 DDoS attack that aims to exhaust server resources by bombarding an SMTP server with repeated HELO commands, ultimately leading to a DoS state for the email services.

This DDoS attack takes advantage of the SMTP servers’ response mechanism by sending a rapid succession of HELO commands. The targeted server then dedicates resources to process and respond to each command, which can severely drain server resources when executed in large volumes.

When the victim server’s resources or bandwidth gets overwhelmed, it disrupts the normal flow of emails, preventing legitimate email traffic from being processed.

Differentiating SMTP HELO flood traffic from standard SMTP traffic can be challenging because both utilize standard SMTP commands.

Technical Analysis

Below is an analysis of an SMTP HELO flood attack targeting a single destination IP from a single attacking source IP:

Image 1 – Example of TCP connection

To send SMTP commands the client establishes a TCP connection to port 25.

Image 2 – Server responds with 220 code

After the threeway-handshake, the server responds with a “Service ready(220)” code indicating it is ready for other commands.

Image 3 – The client sends a HELO command

The client sends a HELO command with its domain as its Request parameter.

*The Request parameter will differ according to the attacker’s domain.

Image 4 – The server answers with 250 code

The server responds with a “Requested main action okay, completed (250)” code and its domain.

Image 5 – The client sends a QUIT command

The client sends a QUIT command in order to close the connection.

Image 6 – The Server closes the connection

The server sends a “Service closing transmission channel(221)”code. And proceed to close the TCP connection.

Image 7 – SMTP HELO flood stats

As seen in the image above. The capture analyzed is around 9.1 seconds, and the average number of packets per second is around 112 PPS, with a rate of around 0.057Mbps per second (considered low, the attack you are analyzing can be significantly higher).

Analysis of an SMTP HELO flood in Wireshark – Filters

Filter only SMTP protocol – “smtp”

filter only SMTP helo commands – “smtp.req.command == helo”

Go to Statistics -> Summary on the menu bar to understand the rate you are looking at.

Download Example PCAP of SMTP HELO Flood

*Note: IP’s have been randomized to ensure privacy.