I just came to realize that there is one big problem with using BGP to blackhole these SMURF-amplifier sites. Put really simply, if you create a BGP blackhole all you do is prevent your packets from getting to their network - not the converse. While being listed on a blackhole list which affects connectivity might be enough to encourage people to set no ip directed-broadcast or equivalent on appropriate interfaces, I'd rather see a real filter set which I can drop the packets at my internet-facing edges. How to update the filter set dynamically is another issue that I'd like to hear about. Am I thinking correctly here or am I missing some convoluted BGP configuration? - Forrest W. Christian (forrestc@imach.com) ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------