>I believe it was stated that this SYN flood came from IP packets with
>the "Source Route" option set.
Perhaps so, but SR is not necessary unless the attacker wanted to
receive responses, which is not needed for this sort of attack.
> ... There should be a packet filter routine
>which will drop ALL packets with *any* options triggered. Since,
>typically speaking, the only reason that the IP options are used are
>to debug or cause trouble, this might be the safest approach for a
All quite true. The most useful thing you can do with your Internet
router is drop all packets with IP options and with source addresses
from the wrong side.
Sadly though, that is not enough to save you from a SYN attack.