I've tried SYNProxy as well but that doesn't really help. I have 1,000,000 max states configured however, under a syn attack using hping3 all 1,000,000 get filled pretty much instantly. That's the whole reason to have syn-cookies working so that your state table doesn't get full with bogus syn requests. Even if I set net.inet.tcp.msl=7500, the incoming rate of connections outpaces the rate at which they are being removed from the state table. I'm not sending ridiculous amounts of packets either. My simulated attack is about 20-30K pps.