Perfect, that's exactly the kind of thing I was looking for. Although I'm a little confused by the comment's description of the birthday attack -- it doesn't immediately seem useful to me for an attacker to find separate connections that generate the same cookie.
I'm not a cryptographer, but as I understand it, the birthday attack says if you have a valid hash for one thing, you can generate more things, and get a collision in a surpisingly small number of iterations.
In this context, it's easy to get a valid hash --- when the system is in syncookie mode, send a SYN from an address where you have visibility of the SYN+ACK responses.
Then, you could use that cookie (sequence number) to spoof ACK packets with other sources, and they've estimated the number of packets you need to spoof before you'll have probably generated a connection. That number of packets is significantly fewer than when the syncache has not overflowed recently, and you need to have sent a SYN, and have an exact match of the sequence number.
