Greylisting Security
GREYLISTING
A technique widely employed by email servers is called
Greylisting. This
has been used with great success to eliminate a large percentage of spam email.
The fact is that criminal email systems tasked with the delivery of millions upon
millions of unwanted emails work to deliver them as efficiently and as quickly
as possible. In that effort there is no time to retry any delivery. Those
systems just simply move on to the next target when any difficulty is encountered.
So our legitimate email servers initially refuse email from an unknown source.
The source is temporarily relegated to a "greylist". If the email delivery is
retried, and done with standard timing, the email is accepted and the source
approved for further exchanges. This technique is very effective.
Uniquely JANOS takes the Greylisting technique to a new level. While JNIOR does
not receive emails it does receive connection requests. In order for any remote
system to make a connection to the JNIOR it first sends a request. This comes
in the form of a Transmission Control Protocol (TCP) packet with the SYN flag set.
Normally JANOS is programmed to acknowledge the SYN packet with a SYN ACK and to
proceed to form the connection with the remote client.
Now, just as with email delivery, the malicious bot program also does not
bother retrying should it have difficulty connecting. If you enable the
Greylisting on the JNIOR, that first SYN packet is ignored. The client is
added to a greylist. A well-behaved client system will retry the connection.
The Internet is a lossy network after all. But the bot gets no response and
thinks maybe that there is no computer at that IP address and so it moves on
and does not retry, or retries but way too aggressively. If we do receive a
valid retry and the client is in the greylist the connection is allowed. This
feature can be enabled by setting the
IpConfig/Greylisting Registry key to
"enabled".
Greylisting has proven to reduce malicious connections by over 98% in our
testing with JNIORs directly connected to the Internet. In reality this does not
completely eliminate the risk and other steps are recommended in an overall
defense strategy but it is very effective. It is also unique as we are not aware
at the time of this writing of any other system employing the technique in this
fashion. We highly recommend enabling Greylisting on any JNIOR accepting
connections from the Internet. This does not impact your normal legitimate use
of the product in any way. It is not enabled by default.
Note that packets initially rejected by Greylisting are considered to be
network noise. These may be filtered from the NETSTAT sniffer display.
SEE ALSO
HELP Topics:
NETSTAT
[/flash/manpages/manpages.hlp:1897]