Re: ICMP unreachables

[smb () research att com (smb () research att com)]

         In any case, the real solution is to have hosts that check both port
         numbers in the fake icmp packet.  As was mentioned in another message,
         most current systems do this checking, so nuke (and programs like it)
         don't work very well.

Note that in the case of TCP, the ICMP packet should also include the
sequence number of the bounced packet.  A good implementation should
check it, too.  Not foolproof, obviously, but still a step in the right
direction.