Alain Durand wrote:
Fred L. Templin wrote:Alain/Christian,
Maybe I missed something, but could it not be the case that the
attacker is randomly varying his source address? In which case,
the log collected at S6 may contain uncorrelated (and
untraceable) S4's?No, this would be catched by IPv4 ingress filtering.
Maybe I'm behind the times here, but when I last looked at DDoS attacks randomly varying the IPv4 source address was an element that made the attacks particularly difficult to trace. At that time, it was not necessarily true that all sites in the global IPv4 Internet properly configured IPv4 ingress filtering. Are you saying this is no longer the case? Thanks, Fred ftemplin@iprg.nokia.com