I would add careful use of some rate-limiting
functionality,
(already mentioned in Richard Steenbergen's
http://www.e-gerbil.net/ras/dos.txt)
so you can rate-limit things like icmp and acks
numbered 0 and anything
else that show themselves to be obvious candidates
over time.
In actuality, in a TCP SYN packet, an ack of 0 is very
common. If you view legitimate syn's generated by
real stacks, you will see at dword offset 7:
0x00000000.
Last time I checked, this was a 0 for all intents and
purposes. By rate-limiting acks of 0, you are
rate-limiting most syn packets, which I don't think is
the ultimate goal.
-j