protecting the servers is not the *critical* point. protecting the service is. don't obsessed up on silly boxes.
You're right. It comes down to risk mitigation, not risk elimination. I'd posit it's impossible to PREVENT a DDOS attack -- as such, as we did when they first manifested themselves in 1999, we need to develop response plans capable of meeting the onslaught and mitigating its impact so that things continue to function, even if they're degraded somewhat. It's like airport security - total security is a fantasy, but we have to raise the bar to make it more difficult for an attacker, and couple that with effective plans to respond when things occur, thus ensuring both an acceptable level of service during the incident and a smooth recovery/investigation afterward. Of course, in the airport security case, the bar's still lying on the ground..... :( Rick Infowarrior.org