jlixfeld@idirect.ca said once upon a time:
You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on your cores. Deny ICMP from critical portions of your network. Create a little script which tail -fs the log, parses it, sorts it and counts it. If the script counts more then xxx hits on a certain IP or a certain number of IPs on your network from the same source or a multiple sources on the same network, you have your upstream. Once you have them, you can call them and ask them to do the same until you find the real source.
You might want to stick in an "echo-reply" before the log. This will specifically block the smurf, but won't affect any of the other ICMP which does have a useful purpose. This of course will stop any of the blocked addresses from doing outside pings or traceroutes as well.