Anyway. Point is this: We can't take too much more of this, nor can our customers. I have yet to hear *anyone* come up with any ideas even remotely reasonable for how to deal with this situation, long term, except for the filtering that Avi, Perry, and I have been promoting these last few days.
If hardening all hosts against forged source address SYN attacks is not feasible then perhaps providing a hardened device in front of server farms is. How about something that spoofs the TCP connection setup, uses minimal resources for unconfirmed TCP connections and perhaps more aggressively times out these connections when under attack. Basically this firewall would not forward a SYN packet to a server from an unknown host until that host had properly ACKd a SYN ACK from the firewall. The resulting connection would require that the firewall adjust seq/ack numbers before forwarding the packets between the host and server as the pseudo random seq number used in the initial SYN ACK from the firewall to the host will be different from that proposed eventually by the server. And it makes sequence guessing attacks much harder as well. An idea? -Steve