Conclusions


TCP Stacks largely have synflood countermeasures

statefull firewalls don't

syncookies + flood detection + existing synproxy code = goodness
very effective
no legitimate traffic blocked
acceptable drawback only under actual attack