Application layer DDoS attacks , in most (all?) cases require a valid TCP/IP connection, therefore are not spoofed and BCP38 is irrelevant
DNS query-floods are a notable exception.
Application layer DDoS attacks , in most (all?) cases require a valid
TCP/IP connectionDNS query-floods are a notable exception.
may i remind you of the dns query flood i had which you helped research?
udp and tcp, from the same sources.
randy
Yes - we determined that the TCP-based queries were a result of RRL, which is optimized to help with spoofed reflection/amplification attacks, but isn't intended to handle non-spoofed query-floods (hence S/RTBH, flowspec, IDMS, et. al.) like the particular ANY query-flood directed at your auths.