> Check also ICMP "packet too big" coming in with ridiculous sizes, they > might be the sign that someone is trying the Shulman attack. JFTR It's one ICMP packet per the fragmentation cache timeout and the unique destination IP. I wish we had found out some way to enforce BCP38 before spoofing became a problem:( O.