I'm going to keep this really simple and go really slow so there's no chance of a misunderstanding. You have a customer A. He has two customers, B and C. Your filter allows A, B, and C's assigned addresses as source addressees on the link to/from customer A. Your customer A, receives a packet from customer B with a source address assigned to customer C. Your filter allows it even though it's spoofed. You know why that is? Because your filter can't tell a spoofed packet from an unspoofed packet. Customer B dials up to another ISP. He gets an IP address. He sends a packet sourced with that IP address to your customer A who forwards it to you. It's not spoofed, but your filter blocks it. Do you know why that is? Because your filter can't tell a spoofed packet from an unspoofed packet. You may be entirely happy with your filter, and it may be doing exactly what you want it to do. I won't dispute that. But the fact remains that your filter cannot tell a spoofed packet from an unspoofed packet. And there's a simple reason for this -- your filter can't tell where a packet actually originated, and that's what you need to know to tell whether it's spoofed or not. Do you understand my point yet? A filter cannot tell a spoofed packet from an unspoofed packet. We've gone back and forth about four times and this simple point still seems to elude you. I wish I liked to play the name calling game as much as you do. DS PS: Am I the only one who was actually a little happy the day some big name sites got hit with DDoS attacks thinking this would finally bring some attention and real solutions to the problem of DoS attacks? Am I the only one disappointed with the fact that things have not gotten significantly better since then?