Have a look at the firewalls mailing list archive for more info
There are at least three things you can do to protect yourself from such
attacks. One is to patch your UNIX/BSD kernel to allow much higher numbers
of incomplete socket connections. One is to have another machine or your
network issue RST's for sockets that it thinks are part of the SYN flood
I like this.
attack. And one is to install a SYN proxy machine between your net and the
Internet which catches all SYN packets and holds them until an ACK is
received at which point the SYN and the ACK are passed on to your network.
I like this even more, but the potential for disaster if the box goes down
is just too huge...
Such a proxy can be built to handle HUGE numbers of incomplete conections.
Michael Dillon - ISP & Internet Consulting