There is another mitigation: everyone here should commit to filtering customer packets at the customer premesis router (or at the dial in for PPP/SLIP) such that it is not possible for a customer to send a packet into the network that has an IP source address on it that is not assigned to that customer. That is, no more lying about source addresses. Each of you should also consider (depending upon how your address allocations go - this should be cheap for a single CIDR block) filtering all packets coming at you from elsewhere that has source addresses in your assigned address space. That is, no one should be able to send you packets that you appear to have originated. This is for the terminal networks, not the transit networks. This is an old problem. It's another variant of the TCP SYN flood thing. These filters also help with that problem too. Erik Fair <fair@clock.org>