I agree this is a DOS attack vector, but is it any worse than the TCP SYN attack vector, and any reason it can't be mitigated similarly with some rate control? Yes, a naively defined ICMP message would be really bad, but I think a carefully defined one could work.
Another possible mittigation, only accepting the ICMP message form sources within the same /48 as the host receiving the message, combine this with BCP-38 filtering and you have drastically limited the scope of who could launch such a DOS attack. This requires the captive portal redirector, not necessarily the captive portal itself, to be within the same /48, but that doesn't seem like its too onerous of a requirement. You could make it the same /64, but that might be too restrictive in some larger scale captive portal implementations.
Thanks.