syn DDoS attack solution

[Bgs <bgs@bgs.hu>]

 Hi all,


 We recently got under a low traffic botnet DDoS attack. All attacker 
nodes opened a single tcp session (just SYN part) and then did nothing. 
This rules out rate limiting solutions and syncookie doesn't help 
either. (Thousands of attacking nodes).

 I'd like to know you thoughts about two possible approaches in solving 
this:
- syn proxy: already used for example by Cisco. The router handles the 
first part of the connection and only routes packets to the client if 
the connection seems good. (Good against single/spoofed incoming SYNs 
but may be used to wait for the first packet with actual data as well).
- Implement a conntrack solution that gives a timestamp to the 
connection. Then this timestamp could be used to drop the connection if 
no data arrives within a configured time limit (good for open inactive 
connections only). Of course appropriate close toward the local client 
has to be done as well.
What's your opinion?

Bye
Bgs