Can I have 2(a) - deal with it statistically and intelligently. TCP/IP stacks which have got far greater public flak than Cisco's (Solaris 2.4 for instance) do not die when sent 128kb/s of ICMP. As I understand it 11.1 allows access lists based on icmp packet type, and this filtering is already done off CPU. So "all" the CPU has to do is block ICMPs from particular hosts, or (even) ICMP at all, if it is being flooded. You can have anything you like ... at Alice's Restaurant. ;-) Assuming we're still talking about a 7010, I suspect that you could do incoming ICMP filtering in the SSE and discard those. But then the bad guys simply attack your BGP port to circumvent your filters. And the filters are not intelligent enough to perform the authentication computation. I'm surprised it's as low as 128kb/s. It should be more around 2kpps. Not that this is a stretch. ;-) I did. They said "the problem doesn't exist". What? And you didn't believe them? ;-) I suspect that a better approach is to contact the people with clue directly.... it sounds like you went through TAC. Tony