Hi, folks. Ah, you know when you mention DDoS too frequently I'm bound to post. :) ] specific events. But how much (D)DoS traffic goes unnoticed ] by the average customer because it's too tough to detect or ] defend against? The 10% I've measured on my network is Valid concern. I tracked five groups of miscreants, each with a botnet, and recorded well over 100 DDoS attacks in a single 24 hour period. These were the attacks that were obvious, e.g. the attack was coordinated or discussed in channel, with the results often pasted into the channel as well (IRC ping timeouts, traceroutes, pings, HTTP gets, etc.). How many privately discussed attacks did I not log? In the underground DoS is ubiquitous and quite frequent. The miscreant without a botnet or DoSnet is generally in the active pursuit of one or both. In fact, if you see a sudden upsurge in scans for a particular port (Sub7, FTP, NetBIOS shares), this is often the result of a botnet or DoSnet harvest. Many of the DoS tools and bots are specifically written to generate seemingly legitimate traffic. These tools do not spoof the source IP. Some will generate a surfeit of sockets to a web server; this won't appear as anomolous traffic, particularly if there is no flow analysis on the network. It isn't clear to me how the various anti-DDoS tools (Captus, Arbor, Riverhead, et al.) will deal with a surfeit of legitimate traffic, though Mazu may have some chance of fingerprinting this traffic (it is essentially an anomoly detector). N.B.: I've not tested any of these devices. Many edge networks do not run any sort of flow collection and analysis tool. They have no idea what is hitting their site, but they know it is causing woe. They call their ISP and expect them to deduce the naughty flows. Some ISPs are incapable of analyzing the flows as well. It's a real mixed bag. I would argue that there are other things that can be done at the edge to mitigate the present effect of DoS (measured or unmeasured). Anti- spoofing does help. In one study I conducted of an oft-DoS'd site, 60% of the naughty packets had _obvious_ bogon source addresses. The percentage of spoofing was difficult to deduce, though it may have been quite a bit higher than 60%. Why send such packets through an anti-DDoS device? It's a waste of cycles. Ah, but you've heard this from me before, so I'll spare you the rave. :) What percentage of all Internet traffic is DoS? Unclear. Until the data is gathered, it can not be analyzed, and the data is rarely collected. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);