Martijn Lievaart writes: > > Ric Messier wrote: > > Then your original description was incorrect or at least inadequate. > It has > > nothing to do with SYN as originally suggested since an ESTABLISHED > > connection has blown past SYN, through SYN/ACK and by ACK. It has > completed > > the TCP handshake, as you note above. A SYN attack/flood would stop > after > > sending the initial SYN and leave the connection half-open to exhaust > the > > half-open buffers. > > > > An connection is in the ESTABLISHED state once a packet has been seen. > So once the SYN is seen, the state is ESTABLISHED. > Not last time I checked. That may be true to some degree in iptables but in netstat, an ESTABLISHED connection is one that has made it through the handshake process. Otherwise, it's in SYN_RECV state. Ric
