How can DDoS mitigation devices distinguish between legit and malicious traffic? I'm not a networking expert, but it seems to me that if you're a website hosting a big file like the latest Ubuntu release, a legitimate client will say:
GET /ubuntu-13.10-server-amd64.iso
and cost you 500 MB of traffic (or however big the ISO file is).
A DDoS is nothing more than thousands or millions of machines saying:
GET /ubuntu-13.10-server-amd64.iso
How do the solutions others are talking about in this thread (DDoS mitigation provider or specialized hardware) tell the difference between DDoS traffic and legitimate requests?
That is something different, it is only used to waste bandwidth from someone (or potentially clogging server's upload, but its easy solvable), but in big DDoS attacks the attacker usually has several hundred thousands of zombies infected in his botnet, and then he orders all those zombies to spam packets at an IP he orders ... Every infected PC uses his maximum upload to target IP, resulting into something like this: http://d.pr/i/kmAn
If I'm online during the attack and check iptraf or tcpdump, I can see literally hundreds of different IPs spamming random stuff at me, completely overflowing my download until I get totally disconnected from server (time out), and I can do nothing about it, just watch it being offline ...
A DDoS is nothing more than thousands or millions of machines saying:
How do the solutions others are talking about in this thread (DDoS mitigation provider or specialized hardware) tell the difference between DDoS traffic and legitimate requests?