Well, my understanding of your idea was that you proposed to detect SYN
packets with unroutable src addresses before they hit the SYN_RCVD
queue. The only way to deem them unroutable is to observe
ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph
just means that an SRC address might be a perfectly routable one without
its being real - an unused address on an ethernet segment is enough for
the attack. Or thousands of them for an untraceable attack.
Dima
Tim Bass writes: