> > I am afraid I do not read other security lists besides this one (I glance at > Linux-alert and Linux-security occasionally when linux.dev.* mentions something)And of course stuff like cert-advisory, but in none of these have I seen > what actually can be done with SYN packets... Could someone explain this? > > $) Henri SYN packets signal a request to open/negotiate a new session -- the problem arises when an attacker forges a series of packets that all have the SYN flag set. The recipient host can easily overflow its kernel structures in its effort to negotiate all of these "connection requests." This amounts to a denial of service attack (bad or badly configured kernels may panic or may start "thrashing" -- good kernels have a limit -- either way the machine is temporarily "off the net" (unable to carry on useful TCP/IP communications). This is _at_best_ a gross oversimplication and may be in error on some points. I'm not a TCP/IP programmer or a kernel hacker. I guess there is some sort of timeout. Basically detecting these attacks is a matter of hueristics. Ideally one would have a programmable router that would monitor TCP sessions (state monitoring) and would log alert and deny packets from a host/site that appeared to be utilizing too much of a machine's TCP resources. This issue has been held forth as evidence that IPv4 can't be made sufficiently secure to carry us into the next decade (TCP/IP as we know it is IP version 4). Right now there are developers working on IPv6 (IPv5 was skipped for technical reasons) -- but it doesn't look like ther will be any *real* deployment of that until next year -- at the earliest.