[nflug] Wierd stuff, not necessarily linux related, but I call upon smarter people than I..

[Richard Hubbard]

We have been having the occasional rejection of our email from our servers to at least one company.  When we do a packet sniff at both ends, I see the start of a TCP/IP three way handshake, then a reset packet from the other email server. My email server then caches the result, and stops trying to connect to the other email server until the cache expires and then it tries again.

The packet capture on the other end does not see the normal 3 way handshake.  Instead it sees 2 identical SYN packets (including identical sequence numbers). It seems to see this as a SYN Flood attack, and sends the reset packet, stopping all communications.

( As a side note, from what I have been able to determine from people who code tcp/ip stacks, the correct way to handle duplicate, identical packets is not to reject them, but to drop the duplicates, as there are many things which can cause duplicated packets out in the tubes.

As I said earlier, I don't see the duplicated SYN packets coming out of my email server. I haven't tried to monitor at every router switch that I have control of because that takes some coordination between their IT an me, but I am suspecting that if it is coming from something under my control, it will either the Dell 6224 switch, or our Sonicwall firewall.

So, the question is...Has anyone had similar experiences?  Does anyone here run Qmail or Postfix (I'm not sure which one was rejecting the duplicated packets) Is there a "syn attack" setting that can be configured that I can tell people about which will allow their servers to lighten up a little?

 
Thanks!
<span style="font-family:comic sans ms;">Richard Hubbard </span>
ATTO Technology Inc



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20081013/e037d02b/attachment.html