It seems every firewall is slagged as snake oil. So how should it be done?

A DDoS attack is quite different then DoS attack though, and really is a different ballpark, both technologically and in terms of the sophistication needed to launch an attack. In other words, a echo request attack is script kiddie 101, a true flood takes a bit more effort (unless I missed a botnet firesale online)

My 10/1 cable modem can easily use this type of attack to take down a user on a 2Mb/256Kb level of service with a pure DoS -- In other words, this type of attack means all I need is for my upstream to exceed the victim's upstream, rather then a traditional flood which would require my upstream to exceed the victim's downstream.

If I don't care about spoofing my IP, I could do it from the Windows command prompt by launching the right number of ping.exe sessions with some carefully tuned packet sizes.

"Decent firewalls" != "The cheapest NAT box at Best Buy" (in other words, I don't believe most people have a "decent firewall")

Let me also say that I personally believe anyone advocating disabling ICMP is flat out ignorant and unqualified to dispense advice, and anyone advocating discarding echo requests in the name of security probably has a similar misunderstanding.

As someone with more then a passing interest in both security and DoS/DDoS prevention/survival, I consider it important to understand the risks.

Me neither, which is why I asked. If I thought he did understood and proceeded to dispense such poor advice anyway, I'd be assuming he has malicious intent, attempting to mislead other ignorant users rather then just being ignorant himself.

There is no crime or shame in ignorance, only in wilfully remaining ignorant.