Worked fine with an RS/6000 instead of the 586. Just generate the
ICMP on the forwarding card. It has a CPU on it, so use it. The
overhead of sending to the main processor, then back, then usually out
the same interface is probably much higher than just building the
packet and sticking it on the output ring buffer.
Not all DoS attacks come in the form of packets. A couple of months ago,
some unhappy person (not an employee or former employee even) placed a
single phone call to Bell Atlantic and another to our 800 provider, and
convinced them both to disconnect all our NOC voice, data and fax phone
lines as well as our 800 service. The disconnects took place within a few
hours of the phone calls and also after the business offices were closed.
The upshot was, it took over 20 hours to get the service restored. When
we tried to involve law enforcement, they laughed at us.
Just because you are paranoid, does not mean they aren't out to get you,
and will not find new ways to do it.
Best Regards and Seasons Greetings,