I would add careful use of some rate-limiting functionality, (already mentioned in Richard Steenbergen's http://www.e-gerbil.net/ras/dos.txt) so you can rate-limit things like icmp and acks numbered 0 and anything else that show themselves to be obvious candidates over time.
In actuality, in a TCP SYN packet, an ack of 0 is very common. If you view legitimate syn's generated by real stacks, you will see at dword offset 7: 0x00000000. Last time I checked, this was a 0 for all intents and purposes. By rate-limiting acks of 0, you are rate-limiting most syn packets, which I don't think is the ultimate goal. -j __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/