SYN floods - possible solution? (fwd)

Yes, using ICMP to try and do TCP SYN validation is bad. In addition to
case where a firewalled site blocks ICMP, consider the case where a
group of hosts will respond to pings but have (some/much) TCP traffic to
them filtered by a conventional firewall. These hosts can be used as
candidate source addresses for TCP SYN attack as they will respond to
the ICMP echo request but will not send a TCP RST to tear down the bogus
TCP connection.

Much better IMO to consider waiting for a TCP ACK response to TCP SYN
ACK for the requested TCP connection than to wait for ICMP echo response
at the firewall. As noted before this is a very simple transparent
proxy service that can be implemented at the packet level very similar
to that of a NAT box.