Larry writes:
Until someone implements this as a feature, then 2600 will post the code to a program that sends SYNs followed by ACKs a minute later. The damage would be done by then, but the stats would show balanced flows.
That's not a terribly useful type of attack. That can only be done from a specific host and can't spoof the originating address. To send the second ack, you have to see the SYN/ACK come back from the server and know the servers sequence # etc. You either have to be that host, or on the wire somewhere to it so you can sniff the SYN/ACKs going by. "on the wire" is relatively hard nowadays, and will limit the range of addresses that can be spoofed. Unless someone subverts hosts on transit networks... in which case all sorts of things are possible, this merely being one of them. -george william herbert gherbert@crl.com