So apparently the sites where in actual use [1], hence the query for which site was under attack [2]. Also, it turned out that the traffic spike I saw might not have been an actual SYN attack [3], but instead legitimate traffic.
It seems that the company that owns the sites have a domain that has nothing but advertising banners for gambling sites (since that's what they do) for which they bought advertising space on a bunch of porn sites (I'm sure on the theory of “in for a penny, in for a pound” but in this case, “in for a vice, in for a whole slew of vices”) and it caught our server unaware.
It's not like the server can't handle the load, but that Apache [4] wasn't configured for such a spike in traffic. Now that I've tweaked the operating system (Linux):
>
```
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_syn_retries=2
```
But also tweaked KeepAliveTimeout [5], MinSpareServers [6], MaxSpareServers [7], StartServers [8] and MaxClients [9] in the Apache configuration (doubled each except for KeepAliveTimeout which I decreased) the server is having no problem keeping up with the traffice (I also copied the site to the second server and round-robinning requests between the two).
[5] http://httpd.apache.org/docs/1.3/mod/core.html#keepalivetimeout
[6] http://httpd.apache.org/docs/1.3/mod/core.html#minspareservers
[7] http://httpd.apache.org/docs/1.3/mod/core.html#maxspareservers
[8] http://httpd.apache.org/docs/1.3/mod/core.html#startservers
[9] http://httpd.apache.org/docs/1.3/mod/core.html#maxclients