Thank you for your reply,
perhaps I haven't completely described the problem:
Its not only the "usual" SYN attack, which I know you are aware of,
(you have answered this on the various mailing lists :-).
The problem with kernel 2.0.20 is the fact that the kernel consumes
extremely much load while it is attacked. (up to 10.0 - it can't even
recognice a keypress)
Well, my attack is somewhat different,
Demon9's paper guessed a rather small amount of SYN packets but I
tried to really flood the other computer connected via a local ethernet.
As soon as the flood stops, anything is back to normal (ok, large amount
of SYN "connections").
This only happens if the faked source host adr is really not reachable.
There is no need for a listening program/daemon, which the "usual" SYN
attack needs.
I suppose that the actual implementation of the timing code for the SYN
timeout is too slow ?
Thanks,
Wolfram