Well, my understanding of your idea was that you proposed to detect SYN
packets with unroutable src addresses before they hit the SYN_RCVD
queue. The only way to deem them unroutable is to observe
ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph
Yes, we are 'in SYN' on the approach.....
just means that an SRC address might be a perfectly routable one without
its being real - an unused address on an ethernet segment is enough for
the attack. Or thousands of them for an untraceable attack.
Yes, this also works to our advantage, it seems. As long as
the destination (the source route) is UNREACHABLE, be the
address bogus like 0.0.0.4 or an unused IP address or
a machine that is off on the network, thereby being
UNREACHABLE; after some magic number of ICMP_UNREACHes
IP could block them with a system clock stamp and unblock
them after some other 'optimal deterministic' time.
Thanks for pointing out that the UNREACHABLE could just
be hosts that are turned off. The difficult case,
now that you mention it, are the UNREACHABLEs due
to a route flap or other intermediate system blip.
However, there may be some 'deterministic time'
or number of packets, etc. to set a metrics to
fine tune this.
Thanks for the feedback, BTW.