Well first of all blocking all > 1024 port traffic won't be a good idea. And besides the guy said himself that he was being a victim of SYN RESPONCE with source port 80. It means somebody tried to reflect his DOS attack towards his webserver. What he needs to do is to filter out SYN+ACK (Responce Packets) which have not been initialized by his webserver.
Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk voice: 92-021-111-GEMNET Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk voice: 92-21-4980523 92-21-4974781 "Great is the Art of beginning, but Greater is the Art of ending. " _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with [EMAIL PROTECTED] by Everyone.net http://www.everyone.net/?btn=tag
