Preventing spoofing Need to know real origin of attack packets Must send filter request to the right place IP source address of attack traffic may be spoofed. Dumb idea: Add a “true-source” bit to packets Only Terminus ISPs with ingress filtering can set bit |