What's the difference? If you do echo-reply, whoever initiated the ping will never see a response because it is filtered by the echo-reply in the first place. Or am I missing something with the echo-reply?! (it's late, forgive my ignorance) =) On Mon, 20 Apr 1998, Pete Ashdown wrote: :jlixfeld@idirect.ca said once upon a time: :> :>You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on :>your cores. Deny ICMP from critical portions of your network. Create a :>little script which tail -fs the log, parses it, sorts it and counts it. :>If the script counts more then xxx hits on a certain IP or a certain :>number of IPs on your network from the same source or a multiple sources :>on the same network, you have your upstream. Once you have them, you can :>call them and ask them to do the same until you find the real source. : :You might want to stick in an "echo-reply" before the log. This will :specifically block the smurf, but won't affect any of the other ICMP which :does have a useful purpose. This of course will stop any of the blocked :addresses from doing outside pings or traceroutes as well. : -- Regards, Jason A. Lixfeld jlixfeld@idirect.ca iDirect Network Operations jlixfeld@torontointernetxchange.net --------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------