This sounds like just a short term work-around, easily countered by the DoSers. Rather than fix the problem, they propose to try to detect "unusual activity" and block the IPs. I'm not sure what "trace" means either -- identify IPs and hunt down the perpetrators? It's predictable low tech approach to all net problems -- identify undesirable behavior, trace it, complain to ISPs, block it, form coallitions against the behavior with central clearing houses of people to block. Ultimately you can't distinguish between DDoS and popular content. They're just pushing the DDoS crowd to the next obvious and easy level -- bypass their fingerprinting of unusual behavior. They can't counter-escalate much futher because they'll start getting into false positives and rejecting legitimate traffic. Any robust long term solution to DDoS needs to defend against DDoS with Distributed Service. If content can be mirrored and cached reactively to traffic, mature versions of systems like FreeNet could be built to cope with DDoS. If requests are routed to local caches there is no longer a central server taking all the traffic, which is the basic problem these people are trying to kludge around. They might want to look at Hash Cash and Client Puzzles for systems which can't be easily distributed (web apps with central database needing to be updated). Adam
Roughly a year after cyber-terrorists paralyzed some of the Web's most trafficked sites, technology is finally emerging to stop such distributed denial-of-service attacks before they ever reach their target sites.
[...]
To combat such attacks on routers, a new company called Arbor Networks--funded by Cisco and Intel--this week will launch a managed availability service that aims to detect, trace and block DoS attacks.
http://update.internetweek.com/cgi-bin4/flo?y=eCNx0Bd6gU0V30DDqD