Short Background:

Distributed-Denial-Of-Service attacks, called usually DDOS, are organized by many synchronized computers that try to connect to certain web server/service and put such load upon it, that it cannot serve any more legitemate users or that it totally crashes. The organized group of synchronized computers is called Botnet, since it's composed of many bot/slave computers. The bots are mastered by a hacker or group of hackers that managed to get a hold of them without the users ever knowing about it. Hackers can aggregate Millions of slave computers, waiting to be used at the right time. The bots are usually synchronized in advance to make sure they attack simultaneously.

Simplified DDOS Flow Diagram:

The damaged done from DDOS attacks can reach up to 400K$ for enterprises on average as estimated. The current tools are mainly focused on stopping the attack when it has already started. I suggest stopping the botnet accuirement by the hackers, when they prepare for the attack. This way a lot of damage will be prevented.

This requires Anti-Virus companies like AVG, Norton, etc. to cooperate in sending suspicious denied attack-requests parameters/log to central server, instead of just discarding them as done currently. (Security Consortzium maybe?)

The central server will be responsible for locating the traffic prime/initiator sources using MAC/IP addresses built graph and directions. Each time a new Botting mechanism is found, it is added to known-botting DB to be dealt/examined by experts. Then, the fix is added to new Antivirus version updates, to ensure it will be impossible to use it anymore. If it is used again, the attacker/s efforts to botnet will be detected using the already known attack vector or signature. This way, the pre-attack will be found and neutralized quickly by the nodes graph's starting-source, using the mathematics standards for Graphs.

The pre-attack prevention efforts also demand cooperation with country/state ISPs to locate the related physical position by IP/MAC addresses. Police or Federal agencies cooperation will be used for the hackers' arresting process. This process can only be arranged if the DDOS attack is not organized by a country level organization (such as in case of war/strategic spying).

Other optional pattern, to be researched, is how to back-attack automatically the found hackers' server/computer by known volnurabilities in the detected Botting-system he used (to try aggregating bots).

2 B continued

Have fun,

Hagay Onn