> Source address verification at access layer and rate limiting icmp would > be fine starts. these are "best practices" and not "DDoS Protection" imho