I think you are saying dedicated firewalls can and should (?) be implemented on unix boxes rather than on specialist networking hardware and I will look into that, thanks.

re IP tables. I was vague because I have a number of ideas of where tables of IP addresses might have to be kept. The firewall can't (I imagine) detect the attack all on its own. So the application server has to keep records of activity against IP addresses and then tell the firewall (i.e. updating yet another table of IP addresses) to block some of them while maintaining others as "unresolved status" and others as formal client (probably more statuses than these to boot). For example, if a real (i.e. formal) customer has a DofS hacker in their midst, you might want to discuss it with them first rather than blocking the IP address and damaging business that might be worth more than a temporary performance hit while the issue is still being resolved.