DoS attack is an eternal problem, although specialist firewalls, load balancing class gateway device can be more effective defense DoS attacks, but hackers prefer a combination of x86 + GNU / Linux, the reason is simple: cheap enough.
In the linux kernel 3.13 has finally added a new feature SYNPROXY. This module is based on netfilter extension link tracking on major job is the initial SYN packet from the client marked UNTRACKED then directly into the iptables "SYNPROXY" action ( Similarly ACCEPT, NFQUEUE and DROP), then the kernel will play the role of a gateway device to continue routine processes the TCP handshake with the client, sYNPROXY will wait until after the final ACK (three-way handshake) of the cookie is verified legal package will begin to make real into the target side.
Developers Jesper Dangaard Brouer data indicate SYNPROXY is very effective to fight against SYN FLOOD DOS attack, I today also Debian and SLES-12-beta2 on SYNPROXY were DoS test, the results are generally in use hping3 and metasploit test open after sYNPROXY ksoftirq occupancy decreases from 8% to 3%.