Thus spake Alex P. Rudnev
deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm echo-request log
to prevent smurf originating, or
deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm echo-reply
to prevent smurf flooding into your network.
No important ICMP are affected this case.
Depends what you (or your users) consider important. Consider that users think that they understand networking because they know how to ping or traceroute and your support lines will be busy explaining that you aren't really down just because they can't traceroute to you. We have a little script that looks at network usage and when it sees a spike in traffic it temporarily blocks echo-reply in. It isn't perfect but it helps. We know what our normal traffic is and when it goes much higher we kick the filter into place. If the script makes a mistake and blocks when it isn't really an attack then we haven't actually cut anyone off but we don't flood our downstreams when there is an actual attack. -- D'Arcy J.M. Cain <darcy@{druid|vex}.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 424 2871 (DoD#0082) (eNTP) | what's for dinner.