... and other discussion about <<they are updating phasers and we are building new shields>>... Please, note one important issue. You can protect you server from SYN attack, you can protect it against spoofing, etc... But IF customer (cracker) will be allowed to send packets with the ANY SRC address into the whole network, he (cracker) will have always 1,000 different ways of cracking the Internet. He can send DNS request with YOUR src address, he can send SYN's, he can send ICMP UNREACHABLE and any other packets. The only shield you can use this case is _your pipe is larger then him one_. But if there is any way to cause some server to send 10 packets on 1 requesting UDP packet - that's all... The ONLY way of preventing this attacks is SRC CONTROL you must have on the boundaries with the customers. IP provider have to control customers STRICTLY. One way to do it is _to check routing of SRC address_. Then (in this check) different criterias of filtering can be used. The easiest is _back routing have to be the same as direct routing_; another is _SRC from interface0 can't be routed to interface2_, etc... But anyway, this (by SRC) filtering is the only way of creating good shield. --- Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)