Filtering ICMP packets in DDoS attacks just makes the attacker attack harder. It's not a useful strategy except when protecting very slow links (T1 to 10Mbps) against very light attacks (32Mbps or less). The last few DDoS attacks I've tried to filter have resulted in attacks so significant there was nothing you could do at all. You will prompt a series of escalations this way. One new trick if the attacker can spoof is to take out a server on port 123 for IP 1.2.3.4 by swamping you with spoofed TCP SYN packets to that IP and port. The source IPs tend to be chosen from areas rich in major government and military sites. Filter them and the server is offline. Reply to them, and you are flooding thousands of innocent victims (with powerful response tactics) with unsolicited SYN ACK replies. If the attacker can't spoof, the sources are usually tracked and shutdown. Filtering just makes it so that you can't do the tracking and shutting down. So what's the good? Perhaps other people's experiences differ from mine. DS