> I think that there's some lack of clarity on the problem here. Anyone can
> stream packets at ANY router and take it down. If it's not ICMP, you can
> simply forge routing protocol packets. It's a question of simply
> supersaturating the system. To truly deal with DoS attacks, there are
> basically three approaches:
Indeed. For instance SYN-flood the BGP port.
Won't work easily.
On Criscos, the queue is per peer, not per port..