Friday, February 28, 2020, 8:06:51 PM, Matus UHLAR - fantomas wrote: > On 27.02.20 08:09, Phil Biggs wrote: >>A friend and I experienced this in October last year. >> >>I believe these SYNs have forged source addresses. The objectives being one >>or more of: >>- a DOS attack on the legit owner of the IP, >>- create a state table size issue for you, >>- to have you block legitimate sources. >>The last of these certainly happened here.
> per my last e-mail... > https://marc.info/?l=postfix-users&m=158272022625515&w=2 > SYN with forged address can not cause this kind of error. This error > requires connection be made (until then postfix does not know about it) and > then closed. Thus it requires SYN - SYN+ACK - ACK which does not work with > forged address. You are completely correct, of course. I mistakenly replied to and quoted the OP instead of Doug Hardie. Very careless of me. My apologies. >>I set up a fail2ban rule to pick these up and, after one day, >>nearly 9,500 sources had been blocked at the firewall. >>However, the pf table included addresses that belonged to the likes of >>MessageLabs. >>I dropped the rule and unbanned them after realizing that. > It's more likely that messagelabs scan the internet for open relays, > mailservers features to gather statistics about the internet. The SYN (or SYN+ACK) attack was targeting whole address blocks belonging to AWS, MessageLabs, a Turkish bank and many others. Phil
