diff --git a/history.txt b/history.txt
index a0a79f67fc..1cb9a6a989 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,7 @@
+2015-02-07 zzz
+ * SSU: Limit range for valid clock skew
+ * Transport: Ban routers if they are too old and we are non-DSA
+
 2015-02-06 zzz
  * NetDB: Reduce max job lag for floodfill
  * NTCP: Block IP for a while when incoming connection is dropped before
diff --git a/router/java/src/net/i2p/router/RouterClock.java b/router/java/src/net/i2p/router/RouterClock.java
index 051d282cda..b3318cda3e 100644
--- a/router/java/src/net/i2p/router/RouterClock.java
+++ b/router/java/src/net/i2p/router/RouterClock.java
@@ -102,8 +102,8 @@ public class RouterClock extends Clock {
             // only allow substantial modifications before the first 10 minutes
             if (_alreadyChanged && (System.currentTimeMillis() - _startedOn > 10 * 60 * 1000)) {
                 if ( (delta > MAX_LIVE_OFFSET) || (delta < 0 - MAX_LIVE_OFFSET) ) {
-                    getLog().log(Log.CRIT, "The clock has already been updated, but you want to change it by "
-                                           + delta + " to " + offsetMs + "?  Did something break?");
+                    getLog().log(Log.WARN, "The clock has already been updated, ignoring request to change it by "
+                                           + delta + " to " + offsetMs, new Exception());
                     return;
                 }
             }
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 9319fc01c9..0bd65feeba 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 22;
+    public final static long BUILD = 23;
 
     /** for example "-test" */
     public final static String EXTRA = "";
diff --git a/router/java/src/net/i2p/router/transport/udp/PacketHandler.java b/router/java/src/net/i2p/router/transport/udp/PacketHandler.java
index 206e9c44f7..8d812852fa 100644
--- a/router/java/src/net/i2p/router/transport/udp/PacketHandler.java
+++ b/router/java/src/net/i2p/router/transport/udp/PacketHandler.java
@@ -47,6 +47,7 @@ class PacketHandler {
     private static final int MAX_NUM_HANDLERS = 1;
     /** let packets be up to 30s slow */
     private static final long GRACE_PERIOD = Router.CLOCK_FUDGE_FACTOR + 30*1000;
+    private static final long MAX_SKEW = 90*24*60*60*1000L;
     
     private enum AuthType { NONE, INTRO, BOBINTRO, SESSION }
 
@@ -610,17 +611,21 @@ class PacketHandler {
             long recvOn = packet.getBegin();
             long sendOn = reader.readTimestamp() * 1000;
             long skew = recvOn - sendOn;
+            int type = reader.readPayloadType();
+            // if it's a bad type, the whole packet is probably corrupt
+            boolean typeOK = type <= UDPPacket.MAX_PAYLOAD_TYPE;
+            boolean skewOK = skew < MAX_SKEW && skew > (0 - MAX_SKEW) && typeOK;
 
             // update skew whether or not we will be dropping the packet for excessive skew
             if (state != null) {
                 if (_log.shouldLog(Log.DEBUG))
                     _log.debug("Received packet from " + state.getRemoteHostId().toString() + " with skew " + skew);
-                if (auth == AuthType.SESSION)
+                if (auth == AuthType.SESSION && typeOK && (skewOK || state.getMessagesReceived() <= 0))
                     state.adjustClockSkew(skew);
             }
-            _context.statManager().addRateData("udp.receivePacketSkew", skew, packet.getLifetime());
+            _context.statManager().addRateData("udp.receivePacketSkew", skew);
 
-            if (!_context.clock().getUpdatedSuccessfully()) {
+            if (skewOK && !_context.clock().getUpdatedSuccessfully()) {
                 // adjust the clock one time in desperation
                 // this doesn't seem to work for big skews, we never get anything back,
                 // so we have to wait for NTCP to do it
@@ -648,7 +653,6 @@ class PacketHandler {
             RemoteHostId from = packet.getRemoteHost();
             _state = 46;
             
-            int type = reader.readPayloadType();
             switch (type) {
                 case UDPPacket.PAYLOAD_TYPE_SESSION_REQUEST:
                     _state = 47;
diff --git a/router/java/src/net/i2p/router/transport/udp/PeerState.java b/router/java/src/net/i2p/router/transport/udp/PeerState.java
index 37cde0c8e6..b3c8d86b60 100644
--- a/router/java/src/net/i2p/router/transport/udp/PeerState.java
+++ b/router/java/src/net/i2p/router/transport/udp/PeerState.java
@@ -761,6 +761,8 @@ class PeerState {
     
     /** we received the message specified completely */
     public void messageFullyReceived(Long messageId, int bytes) { messageFullyReceived(messageId, bytes, false); }
+
+    /** FIXME synch */
     public void messageFullyReceived(Long messageId, int bytes, boolean isForACK) {
         if (bytes > 0) {
             _receiveBytes += bytes;
diff --git a/router/java/src/net/i2p/router/transport/udp/UDPPacket.java b/router/java/src/net/i2p/router/transport/udp/UDPPacket.java
index cb201b324c..7b9c2bdd00 100644
--- a/router/java/src/net/i2p/router/transport/udp/UDPPacket.java
+++ b/router/java/src/net/i2p/router/transport/udp/UDPPacket.java
@@ -84,6 +84,7 @@ class UDPPacket implements CDQEntry {
     public static final int PAYLOAD_TYPE_RELAY_INTRO = 5;
     public static final int PAYLOAD_TYPE_DATA = 6;
     public static final int PAYLOAD_TYPE_TEST = 7;
+    public static final int MAX_PAYLOAD_TYPE = PAYLOAD_TYPE_TEST;
     /** @since 0.8.1 */
     public static final int PAYLOAD_TYPE_SESSION_DESTROY = 8;