Resent-Date: Sun, 6 Oct 1996 09:38:04 -0600 (MDT)
FYI, (if it has already been mentioned, please excuse the double post,
The latest version of the SYN attack code published in Phrack (last
weeks edition, NOT last months) has an imbedded 'ping' ever several
hundred SYN packets.
If you get attacked, run snoop, tcpdump or anything that captures
packets, and look for the pings - they have the real source address of
the sender of the SYN flood attack.
Please note, obviously the code can be modified to NOT ping, but our
attacker last night did not do that, and we had the name of the user,
their ISP, and other info in less than 15 minutes.