I'm sorry - but the Right Thing (tm) to do is to ingress filter, as I have already evangelized.

Like it or not.

Paul is correct. Various vendors will update their systems to handle this packet of death, but someone will discover another packet of death. Anti-spoofing filters don't prevent them, but they do act as fire stops to slow their spread. Topology may prevent you from creating perfect screens, but even with the 80/20 rule, anti-spoofing would impede many DOS attacks; or speed up the tracking of the source. Just because there are good reasons for not doing it in the 20%, you should still try to do it for the 80% it would help. Single-homed networks, even broad networks like MCI's backbone, rarely have legitimate packets with their source address originated by hosts not directly on those networks and routed through parts unknown. As an added bonus, anti-spoofing filters also block several cases of people pointing default at your network. Think about it. -- Sean Donelan, Data Research Associates, Inc, St. Louis, MO Affiliation given for identification not representation