You could just withdraw your BGP announcement for the net being attacked
and suddenly the attack packets will die at the first router without a
default route on their way to the victim.
...along with everything else. Do you have some way of determining which
router that is?
By looking at netflow stats or ip accounting I can usually find the host
being attacked by sorting the list by destination. The source will point
to hosts on a net being used as a smurf packet replicator, giving a hint
who might need to be contacted to shut off directed broadcasts. Netflow
stats even show it as being ICMP ECHO traffic if you look at the numeric
codes in the flow export. Once you know who is being attacked, you can
call your upstream providers or peers and have it traced, but if you want
the traffic stopped and the attack is flooding your pipe, about all you
can do it stop the traffic from getting to you, so if you are BGP peering
with your neighbors, withdraw the network annoucement for the victim and
the rest of your customers can continue to get their trafic. This doesn't
help trace in, although give how older cisco IOS code reacts to tossing
out unroutable packets, the intermediate hosts may find they have a
problem when their router CPU use hits 100%.
I too would rather have a good quick way to nail the people initiating
this sort of attack. However I have also found that my customers who are
victims are seldom random and are usually doing something to attract the
attack, like running IRC bots or running a sendmail capable of being a
SPAM relay. However I don't approve of vigilantism. This stuff can be
taken care of in other ways.