Avi writes:
> But of course. The problem is that SYN_RCVD is a transient state in the
> TCP automaton, and it requires some resources allocation. The life
> might have been a little bit different if servers weren't forced
> to track this state. Something like a signed ticket accompanying the
> second SYN and the following ACK.
>
> DimaThat's the idea of making the iss a ticket that includes mss info and
a hash of the other info plus a security ticket.I had hoped to work on that but it looks like someone else local is almost
done and claims that ignoring window size and any data with the SYN(s)
is harmless...
"someone else local" 
has thrown the initial implementation up on
his ftp server; sun3 & sun4 .o's and a back-port to Net/2 src code
(note though, I have not tested the Net/2 port):
ftp.op.net:/pub/src/syn-prophylactica/
I have been able to withstand a ~600+ syn/sec attack with no
noticable problems (slightly increased load, but no dropped
connections).
--jeff