diff --git a/sys/netinet/tcp_syncache.h b/sys/netinet/tcp_syncache.h
--- a/sys/netinet/tcp_syncache.h
+++ b/sys/netinet/tcp_syncache.h
@@ -67,6 +67,8 @@
 	u_int8_t	sc_requested_s_scale:4,
 			sc_requested_r_scale:4;
 	u_int16_t	sc_flags;
+	u_int32_t	sc_challenge_ack_cnt;	/* chall. ACKs sent in epoch */
+	sbintime_t	sc_challenge_ack_end;	/* End of chall. ack epoch */
 #if defined(TCP_OFFLOAD)
 	struct toedev	*sc_tod;		/* entry added by this TOE */
 	void		*sc_todctx;		/* TOE driver context */
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -122,6 +122,7 @@
 static void	 syncache_free(struct syncache *);
 static void	 syncache_insert(struct syncache *, struct syncache_head *);
 static int	 syncache_respond(struct syncache *, const struct mbuf *, int);
+static int	 syncache_send_challenge_ack(struct syncache *, struct mbuf *);
 static struct	 socket *syncache_socket(struct syncache *, struct socket *,
 		    struct mbuf *m);
 static void	 syncache_timeout(struct syncache *sc, struct syncache_head *sch,
@@ -694,10 +695,7 @@
 				    "sending challenge ACK\n",
 				    s, __func__,
 				    th->th_seq, sc->sc_irs + 1, sc->sc_wnd);
-			if (syncache_respond(sc, m, TH_ACK) == 0) {
-				TCPSTAT_INC(tcps_sndacks);
-				TCPSTAT_INC(tcps_sndtotal);
-			} else {
+			if (syncache_send_challenge_ack(sc, m) != 0) {
 				syncache_drop(sc, sch);
 				TCPSTAT_INC(tcps_sc_dropped);
 			}
@@ -963,6 +961,10 @@
 	if (sc->sc_rxmits > 1)
 		tp->snd_cwnd = 1;
 
+	/* Copy over the challenge ACK state. */
+	tp->t_challenge_ack_end = sc->sc_challenge_ack_end;
+	tp->t_challenge_ack_cnt = sc->sc_challenge_ack_cnt;
+
 #ifdef TCP_OFFLOAD
 	/*
 	 * Allow a TOE driver to install its hooks.  Note that we hold the
@@ -2053,6 +2055,24 @@
 	return (error);
 }
 
+static int
+syncache_send_challenge_ack(struct syncache *sc, struct mbuf *m)
+{
+	int error;
+
+	if (tcp_challenge_ack_check(&sc->sc_challenge_ack_end,
+	    &sc->sc_challenge_ack_cnt)) {
+		error = syncache_respond(sc, m, TH_ACK);
+		if (error == 0) {
+			TCPSTAT_INC(tcps_sndacks);
+			TCPSTAT_INC(tcps_sndtotal);
+		}
+	} else {
+		error = 0;
+	}
+	return (error);
+}
+
 /*
  * The purpose of syncookies is to handle spoofed SYN flooding DoS attacks
  * that exceed the capacity of the syncache by avoiding the storage of any