> Connection flooding is worse.. and requires offending clients to be > blacklisted by firewalling once identified.
If it's a botnet, there can be tens of thousands of hosts, so blacklisting can be difficult. Also, unless you have a multi-gigabit connection then they can just fill your pipe with whatever garbage they like and your only option then is to ask your ISP to try to filter it. There are also specialist anti-DDoS services with 10gig connections that act as a front end to your site to filter out the garbage then forward the real connections to you. You probably need to do a risk assesment to see whether its worth spending the money to defend against botnets.