syncache


doesn't solve the problem
but mitigates it very well

splitting half-open connections off allows seperate tracking

seperate limit for half-open streams possible
affects legitimate new connections
no effect on established connections

implemented in FreeBSD, NetBSD, OpenBSD