With the recent flurry of activity around IPv6 and the routing headers, I think its important to point out that explicit source routing isn't the only way some attacker could amplify their DOS attack. A very common problem with IPv6 is that folks forget to set a reject route to absorb their unused networks. Without someting in the ipv6 routing table to tell the gateway machine that these addresses are "mine" but unused, the packets will get sent back up the default route to the upstream gateway. That gateway will notice that the packet is meant for your net and will send it right back. Some attacker that notices this misconfiguration can then proceed to send packets with a very long TTL and proceed to have the packet bounce up and down the link approximately 250 times. The fix is to set up a reject route for your assigned /48 (or whatever your upstream gives you). My notes from just setting up an ipv6 tunnel under FC6 (fedora): http://www.wsrcc.com/wolfgang/fedora/ipv6-tunnel.html Comments/corrections welcome. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/