There have been several (many?) products attempting to solve the TCP
SYN attack through timeouts. They watch the SYN packets, and flush
ones, by doing a RESET on the connection if the third packet isn't
received in time. Or letting conenctions fail by flushing the infant
connection table when full. I believe this is wrong!
[...]
I propose a solution where the initial sequence number is calculated
(not random), and is based on a cryptographic calculation of the
senders Initial Sequence Number, the ports, and a "per boot"
secret number. In this way the initial packet can be discarded,
and on receipt of the third SYN packet can be recalculated.
cool idea!
look at:
ftp.op.net:/pub/src/syn-prophylactica/
for an implementation.
--jeff