router syn/syn-ack/ack alarming...

Larry writes:

Until someone implements this as a feature, then 2600 will post the code
to a program that sends SYNs followed by ACKs a minute later. The damage
would be done by then, but the stats would show balanced flows.

That's not a terribly useful type of attack. That can only be done
from a specific host and can't spoof the originating address.
To send the second ack, you have to see the SYN/ACK come back
from the server and know the servers sequence # etc.
You either have to be that host, or on the wire somewhere
to it so you can sniff the SYN/ACKs going by. "on the wire"
is relatively hard nowadays, and will limit the range of
addresses that can be spoofed. Unless someone subverts
hosts on transit networks... in which case all sorts of
things are possible, this merely being one of them.

-george william herbert