Hi, I am wondering why it seems that many ISPs still do not do packet source verification in 2010? Just last night I had to deal with a DoS attack that would have been impossible if more ISPs did packet source verification. I mean, it's 2010. We can do IP-level ACLs in hardware on most of the current routing platforms on the market. I know it can be done on Cisco, Brocade, etc. Not sure on the new NX-OS stuff, but the 6500 series chassis can do IP-level ACL in hardware. The ACLs aren't hard either, you set an ACL forbidding traffic from anything other than an access-list containing their allocated IP ranges... Grumble. (on the other hand, it's not like spoofing does any good anyway... if you're willing to work the netflow data and call your upstreams to get at their netflow data you can easily trace each bot in the botnet to it's origination network which can then look at their traffic flow data and shut it down...) William