From: Michael Dillon <michael@memra.com> ... Wouldn't the ratio be calculated from outgoing SYN's and incoming ACK's?

There are two ratios that could be calculated and it's not clear to me which one we're talking about here. The first ratio is the number of SYN-ack packets sent in one direction vs. the number of acks-of-SYN-ack packets coming in from the other. These should be about equal. A skew indicates a likely flooding attack. But computing this ratio requires keeping around per connection state, since the ack-of-SYN-ack packet otherwise looks like any other ack. The second ratio is the number of SYN packets sent in one direction vs. the number of SYN-acks in the other. This ratio is a much easier to measure but also a much less reliable indicator of a SYN flooding attack. In particular, SYN packets can elicit RST's or ICMP's instead of SYN-acks, and they can also elicit no response whatsoever. Furthermore, the cracker can, while flooding host A with SYN's, in addition also flood host B *and follow up immediately with a RST packet* that clears out B's state. This second stream can be maintained indefinitely, and will have the effect of bringing the count of SYN-ack's quite close to the count of SYN's, since B is always able to generate the SYN-ack. Vern