> I tend to think that the typical actual attacker, *today*, does not > really understand the TTL and its use, and leaves the default TTL. attackers tend to go for the least effort they have to expend to succeed. this attack is unusual in its seeming unneeded sophistication. this is why the 'this is a test run' theory appeals to me. randy