During an in progress attack, you probably have to take extreme measures, Do you remember - it's not attack against you or attack by some of your customer's networks used as amplifier, but the attack initiated from your own network. You never note such thing withouth some permanent measurement.
Oops. I misunderstood this first time round. I don't think you can easily detect smurf initiations, because you have to guess at the broadcast address. I think it is much easier to detect and block forged source addresses, which are also necessary for the hacker who is operating out of your network. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++