keith@topaz5.worldonline.co.uk wrote:

My idea was to keep a count of ALL packets coming to the server, and if there is an excessive amount of packets that are coming from one source IP, in a very short period of time, then this would probably indicate a SYN flood attack.

Apache is opening a tcp connection, yes? I may be mistaken, but I believe that Apache does access control after the connection is open. As SYN packets are part of the connection negotiation, they therefore happen beyond Apache's control. If you're suggesting changing the way Apache handles connections (does its own TCP connection negotiation?), maybe that should be discussed on an Apache-specific list. However I suspect that anything that low-level might not be entirely portable. -- Fred Morris m3047@inwa.net