---------- From: Paul A Vixie[SMTP:paul@vix.com] But let me turn it around. With no means of detection, why do we suspect that it's a problem? That is, why doesn't the cause for suspicion also work as a means of detection? Well, here is the way I found mine. We keep usage information on all of our router ports, and one day, my FDDI interface to an exchange point jumps by 10Mbps. I haven't added any customers, and going back to examine my traffic patterns for customer ports, I have no cooinciding traffic increase. However, I do show this increase mainly passing from one Exchange point to the other. After isolation all traffic sources that would have created such a jump in traffic, I come up with a big goose egg. So, my next step was to log some flows from the router at the exchange point, and after pouring through quite a few flows, I begin to see traffic from an entity that my company has absolutely no relationship with. This all takes quite a bit of time. I would not want to judge anyone with partial data. Meanwhile bandwidth paid for by my customers, and engineered based upon my customer's needs is being chewed up. My customers are affected. I would prefer to prevent such events from affecting my customers, who I think would agree with this method. IMHO, as long as money is involved, and as long as someone thinks that they have a chance of getting away with something, they will try it. Chris