ideas for half-open sync flood fixs? What I understand about this venerability: If a spoofed packet contains a host address that does exist on the net then the real host sends a reset and the fake half open socket is killed. No problem for the host. If a spoofed packet contains a nonexistent host address then no host is present to send a reset. Big problem for the host. fix 1. Doesn't the network respond with ICMP message to the attacked host telling it that the nonexistent host is unreachable. The attacked host could close a half open socket if it received a ICMP message with the corresponding host address and socket port data. fix 2. If a router cannot deliver a sync ack packet it could send a reset for that sync ack. fix 3. If a host sent a ping to the requesting source address before sending the sync ack then it could kill nonresponding hosts quickly. Three ideas form a lurker. Peter Cole peter@telescan.com Telescan Inc. (713) 588-9155 Better computing through lack of sleep Peter Cole (713)588-9155