|
|
|
|
|
|
by mhandley
3569 days ago
|
|
|
If you knew for sure that an IP src address involved in a DDoS attack was not spoofed, we could easily design a control protocol that allowed a recipient to contact the origin ISP and enable a block on that particular {src,dst} pair. Unless you know for sure that the src address isn't spoofed though, such a mechanism would itself be abused to deny service. Having the ability to validate a source address would be the enabler for proper defense mechanisms. We wrote about one way to do this about ten years ago, but no-one was really interested at the time: http://www0.cs.ucl.ac.uk/staff/M.Handley/papers/terminus2007... |
|
|
Unfortunately, even if you know that the source address isn't spoofed, such a mechanism would itself be abused to deny service