[Feel free to respond with: take it to list XYZZY] There's been an ongoing DDoS here at world.std.com (The World) tho it's not quite DoS'ing (you got this, right?) it's getting very tiring and obviously is affecting many systems "out there". The MO: (easy to understand but pretty nasty): What I presume is a zombie army sending out gazillions of emails to thousands of hosts out there (not ours) with a randomly generated (usually) return/source address @ our domain(s). The target addresses are usually also unknown so it just bounces back at us. Besides the obvious SMTP traffic this also generates a lot of DNS traffic. At this point the DNS traffic seems to be more of a nuisance probably because so many target hosts are retrying. At one point we were doing around 10K pkts/second in DNS traffic, very unusual. This has been going on for about a week. I'd hoped some little mitigation tricks here and there and a few days' patience and the excess mouths would get tired of this and go back to stuffing neighbors' pets down their garbage disposals for yucks, etc. So where does one start. It seems a mother ship needs to be shut down somewhere, etc. Obviously ID'ing a miscreant would be a nice result. P.S. If you think "get a firewall": The problem traffic is coming from legitimate hosts in the form of DNS+SMTP, not the bots (not to us anyhow.) So not so simple, what's the filter? -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*