Sean, A few ideas... The ISPs who are providing services to their customers have a responsibility to implement the measures necessary to prevent or reduce the impact of malicious attacks such as those which have occurred over the past week. In addition, it's the customer's responsibility to make sure that they have the necessary measures to protect their networks and hosts, and that they've verified that their ISPs are protecting them. I don't think that the federal government needs to pass a law defining how one should protect his networks, or how an ISP should implement network protection measures. If the Internet industry developed a set of rules/guidelines (Barry Greene's document, as well as pertinent RFCs such as 2267, are a good starting place), the customers can shop around to find a provider who will protect his network. After all, this isn't a regulated monopoly, like an RBOC. The ISPs need to put a system in place where they can work together to quickly trace and isolate the source of any attack. Perhaps the vendors need to develop some mechanisms to facilitate this. If we had the ability to quickly conduct a cooperative trace of of an attack, and it would result in the apprehension and eventual prosecution of the attackers, it would serve as a good deterrent to future attacks. My $0.02, -rb ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com