Well, my understanding of your idea was that you proposed to detect SYN packets with unroutable src addresses before they hit the SYN_RCVD queue. The only way to deem them unroutable is to observe ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph
Yes, we are 'in SYN' on the approach.....
just means that an SRC address might be a perfectly routable one without its being real - an unused address on an ethernet segment is enough for the attack. Or thousands of them for an untraceable attack.
Yes, this also works to our advantage, it seems. As long as the destination (the source route) is UNREACHABLE, be the address bogus like 0.0.0.4 or an unused IP address or a machine that is off on the network, thereby being UNREACHABLE; after some magic number of ICMP_UNREACHes IP could block them with a system clock stamp and unblock them after some other 'optimal deterministic' time. Thanks for pointing out that the UNREACHABLE could just be hosts that are turned off. The difficult case, now that you mention it, are the UNREACHABLEs due to a route flap or other intermediate system blip. However, there may be some 'deterministic time' or number of packets, etc. to set a metrics to fine tune this. Thanks for the feedback, BTW. Best Regards, Tim