perhaps a change in the packet density during the attack might suggest
that an intermediate circuit is becoming congested. if this is the
case, then ISPs may be able to look at known high-use corrodors instead
of groping around blindly. or, conversely, if there is a steady stream
at 2Kpps, that might be enough to allow a smaller provider to discount
part of the topology that is not able to support that kind of traffic.
i think that Alexis said that the 2nd attack involved something like
7 panix machines--just how much bandwidth is needed to support a
2Kpps attack on 7 machines?
Without giving too many details, I will say that there was never a
2kpps attack on panix..