Hi, On 02/26/2014 6:41 pm, Thomas St-Pierre wrote: > Here’s the config snippet I’m thinking of using: If the primary DDOS payload is non-initial fragments (which I suspect may be the case) it will bypass your ACL unless you match fragments, which may impact other traffic. ~Randy