How outlandish would it be (and I realize it'd have to be done in the router software and all that implies) to just turn on source routing on particular types of packets (e.g., ICMP) and, optionally, strip it as it went out the edge routers? Would this really add all that much to the total bandwidth? I haven't looked at the overhead, but with a max diameter of, say, 16 it'd be 64 (16x4) bytes plus whatever overhead per (ICMP) packet, and that's pretty much a worst case. Then packets could be easily analyzed at the target router and immediately traced right back to the first "responsible" router very near the source, probably at the origin site in most cases, bypassing any need to trace in between. And yes I mean all the time, not just when there's an attack in progress. But if it were stripped back to a regular ICMP packet before it went out, e.g., a customer's T1 it wouldn't impose any burden on the customer's last mile bandwidth, other than whatever processing is involved in the router they're attached to, but I'll assume that's insignificant from the point of view of that customer under normal conditions. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.world.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*