Have you guys thought about implementing something like a SYN proxy like what OpenBSD's PF offers?
This would basically proxy your TCP handshakes, allowing you to set thresholds and discard bad packet and requests (or not respond to them all together).
http://www.openbsd.org/faq/pf/filter.html#synproxy
TCP/5998 ---> <openbsd pf box> ---> eq server
Furthermore, you could inspect packet headers with SPI but this would be a bit cpu intensive.
Just an idea, it may not be feasible given your resources (additional machine/staff know-how/ease of setup). I've used OpenBSD PF with great success in many enterprise scenarios, you can even use 'CARP' to load balance among several firewall nodes.
http://www.openbsd.org/faq/pf/carp.html