: ==>Could traffic shaping, or similar QoS configurations, be used to solve : ==>such issues in a more general way? : [...] : It has information on using Cisco's Committed Access Rate (CAR) feature : to rate-limit traffic such as ICMP echo/echo-reply and TCP SYNs. Thanks, everyone, for your responses. It seems that lots of us agree that CAR sounds like a wonderful mechanism for taming smurf-like attacks. (Thanks, Cisco and others who have provided it.) So isn't this the solution(**) to smurfing that we should be lobbying for? Consider: Using CAR to limit ICMP to a statistically normal range on all links has these features: * It can be implemented from the core out * It must be implemented by clueful network operators (because they run the core) * It must be implemented on a relatively small handful of rigorously-maintained routers Compare this to the drive for limitations on directed broadcasts: * It must be implemented at the edges * It must be implemented by widely-varying clue levels * It must be implemented on hundreds of thousands of routers that no one ever touches In short, the core grows slower, and is run by people with more experience. If the problem can be addressed there, then it seems like we *must* address it there. Comments, please. (**) You could well argue that limiting ICMP traffic on core/distribution links doesn't actually solve the problem -- lots of trash traffic can be generated on networks whose routers allow directed broadcasts. But that's if we define the problem to be trash ICMP because hosts reply to pings (or fraggle, or whatever); in such a case, traffic limitations are simply a kludge. However, if you define the problem to be packet floods, then I think CAR provides a viable and real solution. After all, directed broadcast is a useful tool; in such a definition, disabling it on a network is a kludge. My limited studies seem to show that there are enough smurf amplifiers on the Internet to easily saturate OC-48s. Perhaps the real problem *is* flooding -- not directed broadcast.