Your suggestion has two flaws: 1. missed SYN ACKs due to asymmetric routing. 2. missed SYN ACKs due to diode routes. One could argue, of course, that notification of this condition (without speculating on whether the condition is any of an asymmetric route, a diode route, or a SYN attack) might be worthwhile... I'm gonna have to go digging in my archives for the messages I sent to the CERT and the IETF about this potential problem after it happened to me at Apple, three years ago, due to a diode route. I publically recommended to the IETF mailing list that the edges of the network be filtered, and I privately recommended to the CERT that they begin flogging the systems vendors for robustness in the face of precisely this denial of service attack in their hosts. You can imagine the incredible levels of enthusiastic "can do" attitude I got... Erik Fair