On Wed, May 01, 2002 at 05:18:24PM -0600, pete@kruckenberg.com said: [snip]
A rather extensive survey of DDoS papers has not resulted in much on this topic.
What processes and/or tools are large networks using to identify and limit the impact of DDoS attacks?
It seems to me that the real issue in defending against an attack of this type of differentiating between legitimate traffic and zombie traffic. This seems to be self-evident, but on a distributed scale, how _would_ one tell the difference between a host/netblock that's making a lot of requests to a busy site (amazon.com, say) and a host/netblock that's sending a lot of zombie requests, especially when both sets of requests are bound for the same ports (80/443 in this case) on the same IP/set of IPs? The more D the DoS, the more difficult it becomes to tell what's legit and what's not. (Stating the obvious again, I know, but it helps me think. :) ) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui