On Mon, 16 Sep 1996, Tim Bass wrote: ==>(1) Set up logging (as you have done) dump the data saving the ==>(2) Using documented stochastic methods, look for the hidden ==>(3) Given it is possible to break the code, hack together some This would be a great thing, if only the tools were written. Unfortunately, at this time, it would take a lot of human work just to build the tools to look for patterns (or for the humans to look for patterns themselves). (BTW, most source-address spoofing code I've seen involves the random() function, and seeds the random-number generator frequently as well--you'd really have to have sophisticated hardware to analyze all of this) At this point, the only REAL solution we have is to take the following steps and ask our neighboring NSP's/direct providers to: 1) Educate customers and ask their commitment to add out-bound access-list's allowing only those packets sourced from their CIDR blocks (for stub networks). 2) dedicate some resources to tracing these attacks and pressuring the upstream providers involved in attacks to do the same. ==>BTW, do all the attacks have the same port and destination? Yes, they do. However, so does all legitimate traffic to my web server. /cah ---- Craig A. Huegen CCIE #2100 || || Network Analyst, IS-Network/Telecom || || cisco Systems, Inc., 250 West Tasman Drive |||| |||| San Jose, CA 95134, (408) 526-8104 ..:||||||:..:||||||:.. email: chuegen@cisco.com c i s c o S y s t e m s