Why not just provide a public API that lets users specify which of your customers they want to null route? It would save operators the trouble of having to detect the flows.. and you can sell premium access that allows the API user to null route all your other customers at once. Once everyone implements these awesome flow detectors it will just take short bursts of flooding to DoS their customers. If you can detect them in less than a second, it might not even show up on any interface graphs. I think this is already the case at a lot of VPS and hosting providers, since they're such popular sources as well as targets. I don't know what, if anything, is the answer to these problems, but building complex auto-filtering contraptions is not it. Filtering NTP or UDP or any other specific application will just break things more, which is the goal of a 'denial of service' attack. Eventually everything will just be stuffed into TCP port 80 packets and the arms race will continue. The recent abuse of NTP is unfortunate, but it will get fixed. I just wonder if UDP will have to be tunneled inside HTTP by then. Laszlo