From: David Miller <david@sparks.net>

...

I suggest to check not only ratio (assymetric routing !), but high number of SYNs to single host.

I think this is pretty useless.

If you could get all the end-user ISP's (leaf nodes) to upgrade the OS on their router, you could have a default behavior of BLOCKING the problem SYN's in the first place.

There are the number of customers who are serviced by 2 or more providers and who can't support full routing table in it's routers. This customers setup some default route to one of it's provider, and in this case you would have ratio SYNs/SYN-ACK > 1 in one line.

SYN attacks which aren't from random src addresses aren't really a problem.

I am not shure. Do you like if you are blocked for access to some popular server due to hacker cracked some host in your network ? - Leonid Yegoshin, LY22 P.S. BTW, it is very simple to generate the flow of SYN-ACKs via router which count SYN/SYN-ACK ratio (in reverse path, of course).