Folks,

I have authored an internet-draft on ICMP attacks against TCP. As
stated in the draft, these attacks are not new. Some systems already
implement counter-measures against some of them. However, as there has
not been any official proposal about what would be the best way to
deal with these attacks, these security checks have not been widely
implemented.

The abstract of the draft is:

    This document discusses the use of the Internet Control Message
    Protocol (ICMP) to perform a variety of attacks against the
    Transmission Control Protocol (TCP) and other similar protocols.
    It proposes several counter-measures to eliminate or minimize the
    impact of these attacks.

You can get the latest version of the draft from:
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html

(Constructive) comments on the draft are more than welcome.

P.S.: As far as I understand NetBSD does not check TCP sequence numbers. 
Not sure how you handle the PMTUD issue, either.

Thanks!

--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org