Hi Markus. Interesting topic. Your idea seems very handy for doing forensic analysis, after a HTTP-DoS/DDoS attack. I think that IPTables firewall could be used to help limit or prevent such attacks from occuring. There is a development library for the IPTables packet filter, that allows a user to write loadable modules for the packet filter. I think it should be possible to write a module that will que incoming packets in userland memory. The packets can then be inspected for certain clues that would be indicative of a HTTP-DoS attack. DDoS may be a bit more trickier to detect, as the source IP's will be varied, but even so, there may still be a very high number of new connection requests coming, in a very short time, from the same source IP, which would indicate a possible DoS or DDoS attack underway. The user written module should then be able to generate and add new rules to the IPTables firewall, to block such DoS/DDoS attacks. After a certain amount of time, the user written module should then be able to remove those added rules from the firewall packet filter. I suppose you would call this adaptive or intelligent firewalling, as the firewall adapts itself in response to what it sees in the INPUT chain. I need to write a white paper on this, and make it available for all to read, and hopefully someone will take up the idea and develop it into something functional! Kind Regards - Keith Roberts http://www.karsites.net/