[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: What is this?
From:       Phil Biggs <mb170712 () pjb ! cc>
Date:       2020-02-28 22:55:04
Message-ID: 53259.20200229095504 () pjb ! cc
[Download RAW message or body]

Friday, February 28, 2020, 8:06:51 PM, Matus UHLAR - fantomas  wrote:

> On 27.02.20 08:09, Phil Biggs wrote:
>>A friend and I experienced this in October last year.
>>
>>I believe these SYNs have forged source addresses. The objectives being one or more of:
>>- a DOS attack on the legit owner of the IP,
>>- create a state table size issue for you,
>>- to have you block legitimate sources.
>>The last of these certainly happened here.

> per my last e-mail...
> https://marc.info/?l=postfix-users&m=158272022625515&w=2

> SYN with forged address can not cause this kind of error.  This error
> requires connection be made (until then postfix does not know about it) and
> then closed. Thus it requires SYN - SYN+ACK - ACK which does not work with
> forged address.

You are completely correct, of course.  I mistakenly replied to and quoted the OP instead
of Doug Hardie.  Very careless of me.  My apologies.

>>I set up a fail2ban rule to pick these up and, after one day,
>>nearly 9,500 sources had been blocked at the firewall.
>>However, the pf table included addresses that belonged to the likes of MessageLabs.
>>I dropped the rule and unbanned them after realizing that.

> It's more likely that messagelabs scan the internet for open relays,
> mailservers features to gather statistics about the internet.

The SYN (or SYN+ACK) attack was targeting whole address blocks belonging
to AWS, MessageLabs, a Turkish bank and many others.
    
Phil

[prev in list] [next in list] [prev in thread] [next in thread]