Thanks to the people who responded:
brw@jazz.njit.edu
sysadm@its.brooklyn.cuny.edu
David Schiffrin <daves@adnc.com>
Shaun Welch <swelch@corp.home.net>
Casper Dik <casper@holland.Sun.COM>
It's patch 103582-11 that causes this.
The best response was from Casper Dik:
The old paremeter setting didn't really prevent denial of service attacks, it
made them more difficult.
After the new patch, the denial of service fix is in the TCP code; the
two new tunables are tcp_conn_req_max_q and tcp_conn_req_max_q0;
it's a split of the old one.
The first one is a queue of established connection (which successfully completed
the 3way handshake; only if your server is slow this queue can overflow).
The second queue is a queue that handles connections of which only the initial
SYN was received; if it overflows, old entries in the queue are dropped,
so possibly valid connections will still get through.
The default for q0 is 1024, and you dont' really need to tune it anymore.
Casper