I know we got the ct states option which is a big help but I figured I would offer this suggestion from experience.
I got to noticing on a server I didn't have ct_states on that it was counting last_ack, fin_wait, close_wait etc as connections. I know about the skip time wait option but usually there is just as much of the other connection states.
I think the ct default should count NEW,ESTABLISHED,SYN_RECV
This will make ct more effective in general and less likely to ban legit users. When you are counting all states even skipping time wait you have to keep ct_limit pretty high to prevent banning legit users.
With these default states you could set a limit of 10-30 and have very few problems with legit users and help mitigate dos