0
1
I have been working on my postfix (and davecot) server and had wireshark open for debugging (and verifying that starttls was working).
Now I suddenly started to get some strange requests from many IP's in Korea. After these attacks I got a lot of TCP Retransmission from my end. My internet and servers are still fine.
After some research this looks like a TCP reflection attack: https://blog.radware.com/security/2019/11/threat-alert-tcp-reflection-attacks/
I for now closed my port 25 on my router which fixed it but I still think that this is very strange.
So my questions are:
- Am I right about this being an reflection attack?
- Why in the world might someone/something do this? It doesn't seem to be having any noticeable effects.
- Should I be worried?
- How do I get rid of it? (besides closing my port on my router)
Screenshot of wireshark:
Tthecreator
Posted 2019-12-23T14:01:07.110
Reputation: 1
It seems likely spammers are trying to send spam to your mail server. I am sure the spam is being rejected. – John – 2019-12-23T14:04:23.103
Well @John I don't have any spam after all, but I didn't add advanced anti-spam, just an ip blacklist. These however are residential non-blacklisted IP's it seems. – Tthecreator – 2019-12-23T14:06:57.633
If I were to look at the log of traffic incoming to my router (I did years ago) there were people banging at the door and stopped. Scanners, would-be attackers, spammers, whatever. I would say that if you are not being actively attacked that you probably do not need to worry. – John – 2019-12-23T14:12:15.867
@John thanks for your time and answer – Tthecreator – 2019-12-23T14:22:42.550