Sure, but this like all other attacks of this sort can be tracked... and so the pain is over /quickly/ provided you can track it quickly :) Also, sometimes null routes are ok.
How quickly is quickly? Often times as has been my recent experience (part of my motivation for posting this thread) the flood is over before one can get a human being on the phone.
Once the call arrives and the problem is deduced it can be tracked in a matter of minutes, like 6-10 at the fastest...
So if one wants to create a really nasty, largely untrackable problem, one just needs to mount a set of attacks that last 3-4 minutes at a time? This is a very bad band-aid. The solution is amazingly simple - make it uneconomical to have unprotected networks, the same way as it is uneconomical for businesses that rely on internet for critical communications not to have a firewall in place when purchasing business interruption insurance. Alex