At approximately 2:10 PM PST, we were hit with a UDP packet flood attack that pretty much saturated our links. We have upstream filtering that would protect us from this attack if it were not for bugs in Cisco's IOS. Cisco routers are used by our backbone provider (Sprint for the hosts here). There is a packet fragment reassembly bug that allows attackers to construct packets in such a way as to make them look like TCP packets to Cisco but UDP packets to the site that is attacked. Consequently, access lists which block UDP to prevent this type of attack are ineffective. The attack only lasted about ten minutes but effectively isolated our network hosts from the network during the interval. We are working with Sprint to find a more robust solution to this problem.