BTW, Alexis Rosen at Panix could use some help tracking down the person(s) attacking his machines -- he's more or less being shut down by this. He's having some trouble finding the right person at Sprint (one of his two providers) to talk to. If the right person could get in touch with me, I'll hook the two of you up.
Hopefully, with a little inter-provider cooperation, the guy will get caught and arrested soon.
Perry
I'll post more a bit later (the attack is under way now). MCI was very cooperative, but Sprint said they didn't have time or energy (even though Panix is a Sprint customer) to help to find out where on Sprint's network the packets are entering. (Panix has a t1 to MCI and a t1 to Sprintlink. In fact, Panix was Sprintlink's first ISP customer, (used to be on sl-dc-1-s0)). For a while, the attacker was using a constant seq # (though random ports and src addresses). We hacked the kernel to filter out that seq # in tcp input routines. While how to fix kernels so they're not as vulnerable to huge syn storms is not a NANOG topic, finding the <expletives deleted regretfully> who do this is. More later, Avi