Comment by zeta0134

4 years ago

The key is in the first D: "distributed." A DDoS is designed to look just like legitimate traffic, but coming from many sources all at once. The goal of a successful attack is to both overwhelm the target network by sheer volume, and to make it difficult to stop the attacker without also blocking legitimate traffic. They persist in large part because they exploit the interconnectivity that makes the internet useful in the first place, without which it would cease to be.

2 comments

zeta0134

remram 4 years ago

The firewall can't tell what is legitimate traffic and what looks like legitimate traffic, but the application often can. This is what DOTS us trying to cover: let the application server tell the firewall who to allow or block in real time.

https://www.rfc-editor.org/rfc/rfc8782.html

seiferteric 4 years ago

It depends, some attacks rely on spoofing source address.. This should not be possible and is easily detectable by ISPs as illegitimate traffic. As far as my other suggestion, it would be a user accessible API. Whomever controls an IP should be able to instruct their ISP what is/isn't legit traffic, so the ISP does not have to know anything.