On Tue, Apr 23, 2002 at 02:30:55PM -0700, Christopher Maujean wrote: > that would be great, but the tcp connections that are valid need to be in the > SYN_RECV state for a short period of time, and the attackers keep changing > the 10-20 spoofed ip''s they are using, so we cant block specific ip's > either. We are a web host and must actually respond to the valid packets.
Have you looked for specific traits of the packets by using tcpdump/ ethereal? -- <[EMAIL PROTECTED]>
