On Mon, 16 Sep 1996, Tim Bass wrote: ==>Show me the topology, the router configurations of the gateways, ==>and the format of the denial-of-service attack packets and I'll ==>be surprised if I can't devise a scheme to stop it, even if ==>the attacker changes source addresses frequently (and I'm ==>happy to do it). Okay, here you go... come up with a plan. I have a machine, X. It is directly off FastEthernet 1/1 of my 7513, Y. My net connection is a T1, off Serial0/0 of Y, to my provider's router, Z. X is 172.30.15.5/28, Y's Fast1/1 is 172.30.15.1/28, Y's Serial0/0 is 192.168.1.2/30, and Z's serial interface to me is 192.168.1.1/30. Configuration is standard, only access list on my router is an outbound access-list filtering my source addresses to make sure only packets with sources of 172.30.0.0/16 get out. It's applied in this fashion: access-list 115 permit ip 172.30.0.0 0.0.255.255 any access-list 115 deny ip any any log interface Serial0/0 ip access-group 115 out The SYN flood coming towards my host X looks like this, at approximately 2,000 PPS: 182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN 19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN 93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN [... on and on ...] Tell me how to filter this. /cah