hi I might be totally off the mark here, but has slapper now changed to port 1812? This'll make it really difficult to filter, if you're using this port for RADIUS. I'm seing huge volumes of traffic, to what seem to be slapper infected hosts. I see 2 infected hosts, with 2343 and 2384 unique source addresses speaking to each of them respectively. I'm unable to do actual dumps of the data at this stage, so if anyone could either confirm, or tell me I'm off my rocker, would appreciate it. I've checked a few source and destination ip's, and they all seem to be *nix, with outdated ssl, for example: Date: Tue, 01 Oct 2002 21:46:02 GMT Server: Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 netflow shows: FLOW index: 0xc7ffff router: src IP: 211.157.101.158 Dst IP: input ifIndex: 18 output ifIndex: 24 src port: 1812 dst port: 1812 pkts: 1 bytes: 88 IP nexthop: 196.31.39.10 start time: Tue Oct 1 18:38:12 2002 end time: Tue Oct 1 18:38:12 2002 protocol: 17 tos: 32 src AS: 701 dst AS: src masklen: 19 dst masklen: 24 TCP flags: 0x10 engine type: 0 engine id: 0 Regards --Rob