I added a new feature to dnstop today that filters on "refused" response codes. This might be useful in tracking the ongoing DNS-based DDoS attacks. To use this new feature: dnstop -R -f refused eth0 tarball at http://dns.measurement-factory.com/tools/dnstop/src/dnstop-20090128.tar.gz DW