In some mail from Mike Neuman, sie said:
> > From: Bill Gianopoulos <wag @
> > Actually, the recommended action for the firewall is fake a reset of the
> > connection from the destiation host. Any TCP/IP implementation that pays
> > attention to ICMP destination unreachable is leaving itself wide open
> > to a denial of service attack.
> I don't know if this is the right reason for faking a reset
> versus using ICMP destination unreachables. Almost any TCP
> implementation will listen to TCP RSTs regardless of the TCP
> sequence number. As a result, it's just as easy to deny service by
> spoofing TCP packets as it is to spoof ICMP packets. (Okay, sure, you
> have to guess the client's port. Even a brute force attack with, say,
> 2000 guesses comes to only 80k of data)
Which TCP implementations are you talking about here ?
At least testing done by myself and reading the source contradicts what
you're claiming here for post 4.3BSD and even then it isn't as straight
forward as you're suggesting.