router syn/syn-ack/ack alarming...

um... maybe i'm missing the clue here, but if the router vendors add
something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
becomes too bad make it *easier* for me if i'm doing a denial of service
attack on a host?

On "core" (whatever that means) you only need an extra couple of hundred
SYNs /sec to be passing through an attack, on many many 000s of SYNs
per sec. On customer facing routers, much easier just to block packets
with source addresses not on customer LANs. IE where your solution would
help, one can already fix the problem w/o a s/w change.

Alex Bligh
Xara Networks