But of course. The problem is that SYN_RCVD is a transient state in the TCP automaton, and it requires some resources allocation. The life might have been a little bit different if servers weren't forced to track this state. Something like a signed ticket accompanying the second SYN and the following ACK. Dima Paul Ferguson writes:
I agree completely, but neither one is a panacea.
- paul
At 08:40 AM 10/3/96 -0400, Dima Volodin wrote:
And if everyone doesn't make any attacks we won't have any problems either. To rephrase - relying on ingress filtering is putting your security in someone other's hands, doing host-based stuff is protecting yourself with your own hands. To rephrase once again - doing ingress filtering is "being conservative with what you produce", being able to cope with SYN floods on the host level is "being liberal on what you accept." We need both, and overemphasising one side of the solution will do a lot of harm.
Dima