said by nonymous: said by borntochill:
There are effective mitigation systems against sophisticated DDoS attacks. For instance, Prolexic and Verisign among others offer cloud-based clean pipes services, however these systems/services do not come cheap. We're talking annual operating service costs in the five figures or even six figures.
All that traffic still has to be dumped somewhere. So yes upstream filtering but your ISP may charge a ton if it saturates too much of even their stream.
You guys are thinking regular DDOS attacks - at least in this case it wasn't a regular attack. CallCentric's "pipes" haven't been clogged - it's the registration servers that became overloaded. This has nothing to do with bandwidth or lack thereof.
The only ways to mitigate this attack are to deploy more secure code and/or deploy more/bigger registration servers. To put it to an example, lets say you have a registration server big enough to handle 1000 registrations a second - if a few servers send 10000 requests a second at it it'll choke - but it's relatively easy to fix by just blocking them. But if 600,000 servers (botnet) send one request a minute the effect is the same, yet incredibly hard to block. There are other ways to make this even harder to block, but I don't want to give the bad guys more ideas.
So bottom line: bigger servers + better code = less susceptible to registrar DDOS.