A SYN attack is usually done from bogus addresses; a different fake address is sent with each packet, making it extremely difficult to trace. This means that you cannot counteract a SYN attack by limiting access from the source IP address, since that address is unknown.
This FAQ discusses ways to deal with these attacks, and is a clearing house for additional information on the subject.
Here is the CIAC Bulletin with a full explanation of the attack and what steps to take against it.
netstat -an | grep SYN"That'll will show you the packets in the establishment-pending queue. If you can't traceroute to anywhere close to the source addresses, you're probably being SYN-attacked with random source addresses".
If you have the good taste to use SunOS (as our friend Avi Freedman might say), check out Avi's SunOS Patches
Patches for other BSD-based operating systems are being created as well, asd will appear on that web page. Check it closely for further developments, even if you're using Windows NT (per Avi).
If you have another brand of router, we urge you to check the Cisco or Livingston instructions and your router manual and devise filters for your own system. If you email them to me, I will add them to this page.
These filters will protect other people by prevent your users from sending out packets which are proportedly from machines not on your network. They also protect you by stopping incoming packets that pretend to be from one of your machines.
If all providers unite and run these filters on their own networks, the SYN attack problem will be forever vanquished. So please, apply the filters today and help save the Internet from another PANIX-style catastrophe.
CISCO Systems has some valuable information on resisting some related attacks and setting up router filters.