Last time we were under serious ddos, the attack vector shifted several times in response to our countermeasures. One of those shifts was looking quite similar to what fyodor describes. An attacking machine opened 1000+ connections, sent the request, then shrank the receive window to 1 byte. The botnet segment doing that was maybe ~500 zombies or so.
Of course, it's trivially mitigated on linux with iptables connlimit match (fyodor mentioned that, too).
The punchline: our colo provider insisted on having a PIX firewall in front of our box, with stateful packet inspection and all that. And, of course, that was way too much state for it to keep. So the PIX has gone down and we've got our 24 hours of downtime.
Of course, it's trivially mitigated on linux with iptables connlimit match (fyodor mentioned that, too).
The punchline: our colo provider insisted on having a PIX firewall in front of our box, with stateful packet inspection and all that. And, of course, that was way too much state for it to keep. So the PIX has gone down and we've got our 24 hours of downtime.