This leads to a bug I've literally been afraid to test: How about forging a ping packet with source and destination address YOUR.NET.HERE.255? Should cause a brief but interesting storm, while doing only minimal loading on the forger.