Vern Schriver at SGI has been running experiements and
the conclusions are pretty compelling.
Have the listen queue do Random Drop of waiting connections.
If the queue size is equal or greater than the attack rate
times the expected roud-trip time, the probability of a
real session connecting on the first SYN is very close to one.
Note this performs much better than "oldest drop" (aka FIFO).
In his tests, a machine sustained a 1200 SYN/second attack
with no observable impact in system performance. With a
queue size of 383, from a machine 250 msec round-trip thousands
of connections completed with only a handful of initial SYN
retransmissions (again, with a 1200 SYN/sec attack).
Best way to make the bogons leave is to make it not fun anymore.
This certainly seems to accomplish the goal.