Yeah, it's hard to speculate as to what's going on, because we are not Paypal or Mastercard. Maybe someone from Anonymous works there and changed their uplink media to 10BaseT :)
So about the SYN floods you see in real life, how do those work? Do routers not do SYN proxying for the servers behind them? Do SYN cookies not work? Are sequence numbers being forged? Is the link saturated? Something else?
Routers don't do SYN proxying. SYNs are just regular packets and are passed along to a host.
FIREWALLs on the other hand, might use a SYN to make an entry in a table that's used to track connection state. That table might be overloaded by a SYN flood. Same thing applies to load balancers.
So about the SYN floods you see in real life, how do those work? Do routers not do SYN proxying for the servers behind them? Do SYN cookies not work? Are sequence numbers being forged? Is the link saturated? Something else?