I don't want to detract from the heat of this discussion, as important as it is, but it (the discussion) illustrates a point that RIPE has recognized -- and is actively perusing -- yet, ISPs on this continent seem consistently to ignore: The consistent implementation of BCP 38. It is nothing less than irresponsible, IMO... Why _is_ that? - ferg -- "Patrick W. Gilmore" <patrick@ianai.net> wrote: [snip] There is no single "appropriately[sic] place" which can absorb 50Mpps. If you meant "appropriately placed" (as in topologically dispersed locations), a well crafted attack could still guarantee _at least_ a partial DoS from an end user PoV. It is essentially impossible to distinguish end-user requests from (im)properly created DoS packets (especially until BCP38 is widely adopted - i.e. probably never). Since there is no single place - no 13 places - which can withstand a well crafted DoS, you are guaranteed that some users will not be able to reach any of your listed authorities. This is not speculation, this is fact. All a good provider can do, even with 1000s of server, is minimize the impact of any DoS. [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/