On Tue, 9 Dec 1997, Adrian Chadd wrote: ==>* Filtering ALL ICMP is pretty silly, ICMP is there for more than just ==> pings, and some of it is important. I believe he only said he was filtering ICMP echo replies. ==>* If people start doing this, someone with a smidgen of time on their ==> hands will write a ping flooder that uses random TCP or UDP packets ==> with spoofed from addresses. People have been sending spoofed floods for ages. The problem is that with a spoofed flood, you must have the bandwidth to send it from. "smurf" multiplies traffic--a half a T1, pointed at 2 different co-location networks of a total of 180 hosts, can generate 67.5 Mbit/sec of traffic! See http://www.quadrunner.com/~chuegen/smurf.html for technical information on the attack. Jake Khuon graciously converted my slide presentation into a webbified form at http://www.rsng.net/presentations/nanog11/smurf/index.html ==>I'm curious however - can anyone out there running netflow or something ==>similar give me a breakdown on what kind of ICMP traffic they're seeing? One side note which is cued in perfectly by this is that netflow exports (or even "show ip cache flow") will show you all the hosts that are sending ICMP echo replies if you're being smurfed. One provider I know of has a script which parses the netflow output, sorts it, and then sends it to the NOC staff which is then responsible for mailing a form letter with smurf attack information to the InterNIC contact for that network. /cah