Hacker News new | past | comments | ask | show | jobs | submit login

What happens when a ddos is indistinguishable from regular traffic? Or is it the case that it almost always follows a particular pattern?



It's always a matter of capacity. If there is absolutely no attribute you can distinguish it by, you have no choice but to handle it like normal.

In practice, there is. If we're talking about an HTTP flood, the other endpoint address is always validated (due to the 3-way handshake) so it's plausible to rate limit and block individual addresses. (But without validated client addresses, the rule is to NEVER create state off those, because spoofing is too easy.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: