In mission-critical networks, command, alerts, and critical data are frequently broadcast over wireless networks. Broadcast traffic must be protected from malicious attacks, wherein sources are impersonated or broadcast packets are forged. Even though broadcast authentication eliminates such attacks, attackers can still launch Denial-of-Service attacks by injecting substantive false packets, which consume both communication and computation resources. Due to inevitable proliferation of duplicates of broadcast packets, it is especially important to limit false packet propagation range. Evidently, authenticating each packet before forwarding can effectively contain false packets within one hop. But it results in considerable end-to-end delay penalty on authentic packets. In this paper, we propose a randomized authentication scheme, DREAM, which contains most of false packets in one-hop range of attackers and yet keeps end-to-end delay relatively low. Dream also continuously monitors the contextual threat and dynamically adjusts the trade-off among containment and end-to-end delay performance. Extensive evaluations in ns2 validate our idea.