Bgs writes: > > We recently got under a low traffic botnet DDoS attack. All attacker > nodes opened a single tcp session (just SYN part) and then did nothing. > This rules out rate limiting solutions and syncookie doesn't help > either. (Thousands of attacking nodes). > This is simply a SYN flood attack. It may or may not be a botnet (though saying botnet makes it sound sexier :-) ). A decent SYN flood attack tool would randomize the source address anyway. You should try reading the following as a starting point: http://www.securityfocus.com/infocus/1729 Your second suggestion has been implemented in the TCP/IP stack forever. The article above gives guidance on how to tune it in a Linux implementation. Ric
