[NCLUG] Preventing ICMP DDoS

[jeff]

I have a server that was under an ICMP-based DDoS attack. It was enough to 
flood the 100Mbit ethernet card.

After some arm twisting I was able to get the ISP to filter out ICMP to the 
target IP on one of their upstream routers. Everything was jolly again. The 
problem is that it is against the "policy" of this ISP to do such filtering 
and they are only doing it until the weekend. After that the attack may come 
back or may still be running.

A couple "techs" there were telling me to use the firewalling rules of the 
kernel to stop it. I was explaining that by the time it hits the box, the 
bandwidth is already gone so it doesn't matter if I filter there or not.

To me my options appear to be 1) pray they don't attack again or 2) buy the 
ISP's "PIX firewall" ($$$$) or 3) go to a different ISP.

I don't think I can count on 1. I don't want to do 2. 3 is kind of a drag 
since it involves coordinating lots of volunteers (I can't just move stuff 
myself) & lots of work (plus the contract).

Anyway, anyone here have a good option 4 that I'm missing? Is there some 
super-majick voodoo in the kernel that can help here?

Thanks,

-Jeff