Good Morning, Please excuse me if this simple suggestion was mentioned in the thread (the traffic was so heavy I did not read so many), but I woke up this morning thinking simply: If all ISPs would configure final end user routers (not transit carriers or intermediate systems, but only the router that actually services end users) to drop all packets originating in the direction of the end user where the source IP address does not match the IP address of the customer on a per port basis (or some variation of this plot and theme) then it would become trival to trace these denial-of-service attacks. Again, I apologize if this simple technique was mentioned during the heavy traffic on the subject and I missed it, but this approach seems so simple, that it must of been mentioned, but I missed it. For this simple technique, I agree that a BCP is appropriate, so all IP service providers can 'sing off the same sheet of music' and cooperate together to stop bogus packets originating inside of their 'sphere of influence'. Of course, getting all providers in the world to cooperate sounds like an impossible task, so in that case, all level 0, 1, etc. transit networks must have a policy that all downstream (or is it upstream, I'm still asleep) do this filtering as part of the service agreement. Unless my groggy mind from a deep sleep is missing some marbles, this general technique and administrative policy would go a very long way toward stopping the random() attack and provide for a much easier way to trace attackers. Yawn. Back to sleep...... All The Best, Tim