Are you sure they're the ones under attack, and not you? These sound like typical signs of a SYN reflection attack on *your* network.
If that's the case, what you'd be seeing right now is SYN packets coming from an outside network with an origin port of 80, and a destination of somewhere on your network and a destination port > 1024. The best defense against this sort of thing is to block all incoming traffic to your servers on ports > 1024. For machines acting strictly as servers, in most cases they shouldn't be getting high-port traffic anyway. Moin NetWatch! NetWatch schrieb am Thursday, den 23. May 2002: > Since several weeks we are getting SYN responses from Hosts that were > under a DOS attack. The attacker used our IP-Addresses as the spoofed > source IP and Port 80 as the source port.