On Tue, 7 May 2002 vern@ee.lbl.gov wrote:
It seems to me that the real issue in defending against an attack of this type of differentiating between legitimate traffic and zombie traffic.
Exactly. And while with today's DDoS attacks this is often not so hard, tomorrow's floods will be more carefully crafted so that there are no telltales that can be cheaply used to filter them out.
Steve Bellovin and colleagues (me being one of them) have been working on a scheme called "Pushback", in which routers detect traffic aggregates that are burdening one of their links, and send pushback messages upstream to their peers responsible for the bulk of the traffic, asking them to rate-limit the aggregates. The key idea is that the upstream peers then
1) rate-limits aren't going to solve anything. 2) I'm pretty sure most providers aren't going to let customers determine traffic engineering methods on their networks 3) if this is NOT done in a secure manner I bet I can make www.whitehouse.com disappear... :) -Chris