undefined | Better HN

0 pointsmhandley9y ago0 comments

If you knew for sure that an IP src address involved in a DDoS attack was not spoofed, we could easily design a control protocol that allowed a recipient to contact the origin ISP and enable a block on that particular {src,dst} pair. Unless you know for sure that the src address isn't spoofed though, such a mechanism would itself be abused to deny service. Having the ability to validate a source address would be the enabler for proper defense mechanisms.

We wrote about one way to do this about ten years ago, but no-one was really interested at the time: http://www0.cs.ucl.ac.uk/staff/M.Handley/papers/terminus2007...

0 comments

1 comments · 1 top-level

oarsinsync9y ago

> Unless you know for sure that the src address isn't spoofed though, such a mechanism would itself be abused to deny service.

Unfortunately, even if you know that the source address isn't spoofed, such a mechanism would itself be abused to deny service

j / k navigate · click thread line to collapse