conntrack patch

From kadlec@blackhole.kfki.hu Mon Sep 17 10:20:18 2001
Date: Fri, 14 Jul 2000 09:08:45 +0200 (CEST)
From: Jozsef Kadlecsik 
To: Denis Ducamp 
Cc: Multiple recipients of list NETFILTER 
Subject: Re: technical tests on netfiler under 2.4.0-test2

Hello,

On Thu, 13 Jul 2000, Denis Ducamp wrote:

>  the conntrack don't follow corrrectly the 3 hand shack which is a
>   vulnerability : attacker send a SYN, victim reply by a SYN-ACK  and the
>   connexion is in the table during 5 days !!!

The attached patch modifies conntrack so that a TCP connection is not
considered as established (IPS_SEEN_REPLY) until the 3-way handshake is
not completed: SYN attack connections answered by the victims are
candidate for early dropping as well.

Could you stress-test it?