| There have been several (many?) products attempting to solve the TCP | SYN attack through timeouts. They watch the SYN packets, and flush | ones, by doing a RESET on the connection if the third packet isn't | received in time. Or letting conenctions fail by flushing the infant | connection table when full. I believe this is wrong! [...] | I propose a solution where the initial sequence number is calculated | (not random), and is based on a cryptographic calculation of the | senders Initial Sequence Number, the ports, and a "per boot" | secret number. In this way the initial packet can be discarded, | and on receipt of the third SYN packet can be recalculated. cool idea! look at: ftp.op.net:/pub/src/syn-prophylactica/ for an implementation. --jeff