It is also important to remember that the SYN attack is only one in a class of one-way denial-of-service attacks. While hardening the servers on the net against this kind of attack is important (and is the province of the server/OS vendors, not the router or firewall vendors), the most effective way to end a denial of service attack is to trace it to its source, and terminate it there. To be able to trace without doing a lot of link-by-link guesswork, the edges of the network need to be filtered, such that no customer of any ISP or NSP can inject packets into the Internet that are not part of the customer's assigned address space. This will give us a first approximation of an ability to figure out where this stuff comes from. While it's harder to trace if we get less than 100% compliance, if we get 60%, we know were to start looking for the perps - the remaining 40%. The other nice effect of this requirement is that, in the implementations that I am aware of, it's cheaper to filter one big CIDR block than a bazillion disjoint address spaces, thus adding one more thump to the drumbeat for CIDR. It is time for a Best Common Practice document. Erik Fair