Proactive steps to prevent DDOS?

Jason don't be silly, obviously if the SYN bit is set its not an ACK
flood. This is just an example of predictable misbehavior which can
usually be identified in any kiddie attack (TH_ACK and ack field 0 in the
case of stream). But you should know this... :stuck_out_tongue:

An attacker can always change their tactics and manage to throw out
packets which can slip past a filter ruleset. Rate-limits are only useful
for a) protecting the surrounding network not necessarily the target, b)
when the traffic you are rate-limiting is desired but not absolutily
necessary under attack conditions (ex: icmp echo-replies are valued but
during a smurf you can live without them), or c) when you have carefully
engineered seperate rate-limit buckets so that an attacker targetting one
service may not disturb another. Other steps must be taken in conjunction,
and rate-limiting is only one small tool in the arsenal.