Hi nanog, I'm sorry if I raise a cliché topic, but I've searched the nanog archive and get no satisfied answer. The question is quite simple, what's the best practice if my downstream customer report a heavy DDOS attack (icmp based, not source addr. spoofing)? Yes, to filter out the packet via ACL, but the impact on oc3/48 link with ACL packet filtering sounds to be a nightmare. If there is any effective practice to prevent my engineer from patching the router here and there via packet ACL ? Yes again via dCAR to rate-limiting the icmp traffic, but as soon as you mention the packet-filtering method, it seems as if my router is in smoke. Then I wonder what my US counterpart do to beat DDOS attack to their customer? Best real world practice ? How about tier-1 like UUNet ? thanks for any input. -------------------------------------------- (Mr.) Yu Ning, Chief Engineer ChinaNET Sr. Support & New Service Dev. Data Communication Bureau, China Telecom Beijing, P.R.China +86-10-62072357/62072354 --------------------------------------------