I've received a swathe of private email pointing out other and more complex methods of this exploit. The reason we were not keen to go into detail about things like this is that the advisory was a "heads up" to a large public forum and it would be nice if people would not mention more detailed exploits on such a public forum as NANOG :) I can think of at least three methods to perform this exploit in such a way as to invalidate the suggested, or in some cases *any*, filtering and restrict detection to netflow and the like. My personal view is that people that are clueful enough to do so probably won't so I'm not keen to educate people in this way ;) Cheers, Lyndon Levesley GX Networks (formerly Xara Networks) -- Penis Envy is a total Phallusy.