DoS, ICMP, proxies, SYNDefender

(Doing my usual reiteration thing) routers _cannot_ generate UNREACH
for every host. Routers don't usually generate UNREACH for dead hosts
on ethernet/FDDI (should they, anyway?). Routers cannot generate

Yes, it's understood what 'routers usually don't do' :slight_smile: Routers
don't do a lot of thing they might.

Confirming this and pointed out by another, Postal, RFC 793, points
out this could be done as well (guess vendors just decided not
to do it).

IMO, we are seeing one example (of many) why this 'might always be
done' independent of the SYN attacks discussion. There are lots of
application protocols that could benefit from knowing the destination
was UNREACHABLE with an ICMP control packet.

Why would you NOT want to know about network errors, for example
why shouldn't a non-defaulting router inform the originator
that is not routable? Or, why would you not want
to be informed that a host is UNREACHABLE? Even during
periods of route flap, it should be up to the protocol
designer to decide how to set timers and respond to
such errors, etc.

This is an interesting issue, IMO. Application and protocol
programmers would have more information to 'use as they choose'
if ICMP UNREACHABLES were actually sent when destinations
are unreachable and sent 'as a rule'.

This, IMO, is a direct protocol issue, and not a security issue
per se.

Best Regards,


Right on! PHRACK will be publishing my program to transmit bogus ICMP
UNREACHABLE packets in the december 2001 issue. It's called the Bass
Player. :slight_smile:

Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049 - E-mail: