Since source address spoofing seems to be the thing, why not bite the bullet and put filters on from addresses on downstream clients? It *would* start to blow out the size/complexity of the router configurations, but if your network is of a decent size you should already have some router config management tools written :) But this way, people can only spoof IPs from their own block, and not random addresses. It would kill smurf attacks, make tracing a tad(?) easier, etc, etc. And as I've mentioned before, not all types of floods are ICMP attacks. If you filter ICMP, then I'll start flooding with spoofed source addresses TCP packets with random sequence numbers and from IPs. What, you're going to ask routers to track all the TCP connections going through them now for validation? Erm, how many CPUs more are we going to need..? :) I haven't looked at the MCI tools but my opinion is that if people start putting filters in, you would find the instances of flooding decline. All that needs to be done now is to discuss the best ways to do it (eg setting up a filter on a cisco which uses AS path regexps, so you can filter per interface on what people are announcing to you via BGP. That way, your downstreams can only send traffic with FROM IPs that they announce, and anyone who wants to spoof has to be speaking BGP. ) Adrian