I want to make it crystal clear that source address filtering does not fix the SYN flooding or other spoofed-source address security problems. It only makes it easier to track down the perpetrator. If the goal of an attacker is to damage the business for one or two hours such an attack can be launched from a throw-away staging point; after the hacker cleaned up after himself. Tell VISA or any other serious commercial customer that their operations can be stopped for an hour by any newbie who can retype a page from 2600. I think you'll be laughed at. Per-se reducing the number of clueless newbies trying to play hakerz is good and worthwhile; and as such source address filtering is a valuable tool and should be deployed ASAP. However, source address filtering is particularly hard to implement for large ISPs (it'll require quite extensive modifications to configurations). Having only 100 filter lists per cisco box doesn't help too much, too (there are boxes with more than 100 "logical" interfaces on MIP cards). For a large ISP, implementing source filtering is going to be a monumental task. Given the "tragedy of commons" nature of the problem (you work hard to implement filters, which do not benefit _you_) i'm quite sceptical that it will get us anywhere. Note that the significant progress in CIDR was achieved only after years of screaming, threats and all-out hand twisting (can you say Sean's filter?) That's why i tried to communicate the idea of creating such filters automagically, by using the reverse-route approach. That would allow to make it the default behaviour, at least for T-1s or less. Again, source filtering is only a part of solution. It does not eliminate the attack mechanism per se. That's why the statistical traffic monitoring for the traffic patterns showing on-going flooding attacks with consequent automatic shut-off is a valuable deterrent. It reduces the attack detection and prevention time to half-minute or less. For all practical purposes that will make attaks like that rather harmless, and will shift the burden of responsibility from targets of attacks to those who unwittingly or (worse) knowingly provide assistance to hackers by being lazy or simply clueless. The goal is to have the network to be able to contain anti-social behaviour on its own. The technology can do muhc better than an army of cops, so a technological solution should be preferred to any solution involving human (or, worse, lawyer) intervention. The network is great as a right to speak tool. Now we should think hard on how to support right to not listen. Deniability of communicaton is not a new concept, after all. --vadim