Proactive steps to prevent DDOS?

I would add careful use of some rate-limiting
(already mentioned in Richard Steenbergen's
so you can rate-limit things like icmp and acks
numbered 0 and anything
else that show themselves to be obvious candidates
over time.

In actuality, in a TCP SYN packet, an ack of 0 is very
common. If you view legitimate syn's generated by
real stacks, you will see at dword offset 7:

Last time I checked, this was a 0 for all intents and
purposes. By rate-limiting acks of 0, you are
rate-limiting most syn packets, which I don't think is
the ultimate goal.