New Denial of Service Attack on Panix

How exactly proxy is supposed to behave
    when it "hangs onto" say 10.000 + unfinished
    TCP connections ? Will it deny new ones (because
    resources are always limited) ?
    Looks like it's the only thing it will be able
    to do and as soon as first packet is denied,
    hacker's won.

    As hard as it is to be implemented the only way
    to fight this is have every single ISP to filter
    outgoing packets.
    Assuming big players have enough desire they can do it
    quickly by making an offer smaller ISPs can't refuse,
    the same kind Sprint made when it started filtering
    small CIDRs.

    It's certainly harder to catch those who don't comply
    though ...

    Interestingly enough, the source IP's could be valid,
    then it becomes even harder to see if the TCP connection
    request is valid or bogus. And once again, source filtering
    by ea and every AS looks like the only solution.