Gabriele Bulfon:
> Hello,
> we recently had some situation of full bandwidth usage through our
> firewall, and by investigation we discovered that this was caused
> by a specific mail to a specific destination sent via Postifx 3.1.6.
> We found an ACK SYN DUP flood during the problem, many many packets
> sent, and this on the postfix log regarding that transaction:
FYI, Postfix does not send SYN packets. SYN packets are sent by the
network stack in your kernel when a program opens a TCP connection.
The remote server is then expected to respond with a SYN|ACK packet.
client SYN -> server
client <- SYN|ACK server
client ACK -> server
A properly working network stack will send a SYN packet for each
new outbound TCP connection, and will retransmit the SYN packet
after several seconds until it gives up. A repeated SYN packet will
result in a SYN|ACK response (with perhaps a different server initial
sequence number).
With delays of seconds it is hard to achieve a SYN flood.
Now, it is possible that you have configured Postfix with huge
limits on process counts and destination concurrency. In that case
Postfix will attempt to make a huge number of connections to the
same site, which effectively results in large numbers of SYN and
SYN|ACK packets.
That would be a problem of your own making.
Wietse
