ipfirewall

Is it possible to filter on ipfw?

We are very often bombarded with synflood, some of the attacks fall under these
rules
:
SYN flood is one that flies by these rules.
17:26:09.412994 IP 201.7.252.191.24116 > 85.39.14.140.22: Flags [S], seq 454842539, win 512, options [mss 1460], length 0
17:26:09.413010 IP 2943.223.180.133 .14.140.22: Flags [S], seq 1188803702, win 512, options [mss 1460], length 0
17:26:09.413012 win 512, options [mss 1460], length 0
17:26:09.413024 IP 58.70.168.80.24119 > 85.39.14.140.22: Flags [S], seq 384800345, win 512, options [mss 1460], length 0
17:26:09.413038 IP 172.222.29.109.239 .14.140.22: Flags [S], seq 1200159057, win 512, options [mss 1460], length 0
17:26:09.413047 win 512, options [mss 1460], length 0
17:26:09.413052 IP 85.26.80.237.24122 > 85.39.14.140.22: Flags [S], seq 1668929187, win 512, options [mss 1460], length 0
17: 26:09.413062 IP 109.168.89.26.24123 > 85.39.14.140.22: Flags [S], seq 1238532245, win 512, options [mss 1460], length 0
After looking at tcpdump, we can very easily ban such an attack with the following rule
ipfw add 8 deny tcp from any to any in via $oif setup tcpwin 512 tcpdatalen 0-0
But recently, such a SYN flood began to arrive, banning purely by 1 criterion datalength 0-0 is not an option, since valid packets get into it.
22:19:14.640202 IP 64.10.157.206.24647 > 85.39.14.140.22: Flags [S], seq 357826560, win 33536, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22: 19:14.640204 IP 114.150.41.38.13033 > 85.39.14.140.22: Flags [S], seq 1207566336, win 26625, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22:19: 14.640205 IP 15.213.92.20.12220 > 85.39.14.140.22: Flags [S], seq 1521418240, win 2115, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22:19:14.640206 IP 182.153.18.78.30371 > 85.39.14.140.22: Flags [S], seq 61865984, win 32768, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22:19:14.640207 IP 80.22.219.42.45138 > 85.39.14.140.22: Flags [S], seq 3309371392, win 38494, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22: 19:14.640208 IP 112.143.57.207.28734 > 85.39.14.140.22: Flags [S], seq 86835200, win 38494, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22:19: 14.640209 IP 46.242.136.109.44588 > 85.39.14.140.22: Flags [S], seq 3678339072, win 16384, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22:19:14.640211 IP 199.22.76.232.516 > 85.39.14.140.22: Flags [S], seq 1997996032, win 56388, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
22:19:14.640213 IP 132.83. 125.146.9321 > 85.39.14.140.22: Flags [S], seq 1366949888, win 42527, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
Tell me, is it possible to slaughter this with some rules (maybe you can somehow use it from options [mss 1440,nop,wscale 8,nop,nop,sackOK]) ? Thanks in advance! It makes no sense to compile some kind of banlists, addresses are spoofed, each packet arrives from a random IP. syncookie is also not an option, since everything dies at 3mpps, ipfw keeps these 3mpps without problems if it is cut by the rule.