On Fri, 01 Jun 2007 23:34:02 +0200 Martijn Lievaart <m@xxxxxxx> wrote: > > Then your original description was incorrect or at least inadequate. It has > > nothing to do with SYN as originally suggested since an ESTABLISHED > > connection has blown past SYN, through SYN/ACK and by ACK. It has completed > > the TCP handshake, as you note above. A SYN attack/flood would stop after > > sending the initial SYN and leave the connection half-open to exhaust the > > half-open buffers. > > > > An connection is in the ESTABLISHED state once a packet has been seen. > So once the SYN is seen, the state is ESTABLISHED. I think you meant "So once the SYN is seen, the state is NEW". The state will change to ESTABLISHED as soon as netfiletr sees the SYN+ACK response. My 2 cents. Cheers. Ethy
