Maybe I'm missing something here, but wouldn't these Denial of Service attacks cause a severe mismatch in the numbers of SYNs and SYN-ACKs on a given router interface? If so, then couldn't we just sweet-talk cisco into providing 5 minute counts of syns and syn-acks on an interface? You know something like: 5 minute SYNS: 123423 5 minute SYN-ACKS: 50000 Then, if the ratio got too high, it can start yelping about "Potential SYN D-O-S Atttack in progress on Interface Serial 1" In this manner "good" isp's wouldn't unknowingly carry these attacks. I envision this being done on the somewhat bigger isp's where putting inbound filters on their customer interfaces would be not a good idea (Sprint, MCI, Net 99, etc.). If the feature was enabled by default, some smaller ISPs would probably notice it--if they are watching their cisco logs at all. Personally, I know that these attacks aren't going to originate at our site, as I have the filters on. However, I am quite concerned about getting hit with one... -forrestc@imach.com