New Denial of Service Attack on Panix

Tim Bass writes:


Because, it seems to me, since the way to exploit TCP
is to use bogus, unreachable IP sources, why not use
this fact to let the kernal just filter itself under
certain flooding conditions?

Please let me know why this will not work.


It will, except that a slight modification of the attack (using IP
addresses that _don't_ produce ICMP_UNREACH) will get us back to square

Anyway, filtering packets with SRC addresses known to generate
ICMP_UNREACH at the earliest possible stage might be a good idea.