From: David Miller <email@example.com>
I suggest to check not only ratio (assymetric routing !),
but high number of SYNs to single host.
I think this is pretty useless.
If you could get all the end-user ISP's (leaf nodes) to upgrade the OS on
their router, you could have a default behavior of BLOCKING the problem
SYN's in the first place.
There are the number of customers who are serviced by 2 or more providers
and who can't support full routing table in it's routers. This customers
setup some default route to one of it's provider, and in this case you would
have ratio SYNs/SYN-ACK > 1 in one line.
SYN attacks which aren't from random src addresses aren't really a
I am not shure. Do you like if you are blocked for access
to some popular server due to hacker cracked some host in your network ?
- Leonid Yegoshin, LY22
P.S. BTW, it is very simple to generate the flow of SYN-ACKs via router
which count SYN/SYN-ACK ratio (in reverse path, of course).