best solution known so far is Random Drop of waiting connections once queue fills to a limit at least as large as design RTT*Attack-Rate (queues in the 350-400 range appear to be quite sufficient for RTTs in the 250msec range with 1000-packets/second attacks). Some also argue that somewhat more aggressive aging with Oldest Drop (aka FIFO) also helps while the queue fills to the point of instigating Random Drop. One can mutter about where transition between Oldest and Random should occur. I'm willing to believe hybrid strategy could be better at possible cost of more complexity. (although more agressive Oldest Drop is probably just a timer tweek.) Note that with Random Drop and 350-400 max queue size legit connections almost always complete on the first SYN with no retransmission. cheers, -mo