WANTED: ISPs with DDoS defense solutions

How would the spoofing program, or its user, be able to tell if
it was successful? Unless I'm very confused, the definition of
spoofing is that the return packets aren't going to come back to you.

the whole thing would have to take place during a tcp control session
which used d-h to scramble itself, sort of the same way ssh does.

Diffie-Hellmann is a bit overkill.

It's simpler to have the client open a TCP connection to the server,
retrieve a token which is just some reasonable number of random bits like
64, then send the token back in a set of UDP packets using spoofed
addresses, then pause for a second or two and ask the server (through the
TCP connection) whether it saw the spoofed packets. Three UDP packets
should be enough to eliminate most packet loss scenarios and the spoofed
address could be chosen by munging the first octet to a number from 44 to

That's enough for the server to collect stats and to provide a status
report to the client.

If the client is behind a NAT, and the spoofed source address doesn't get
through, then that's OK because it means that no application in that same
location behind the NAT can use spoofed addresses.

--Michael Dillon

Which is important given the number of NAT setups that only perform NAT for the ranges they deal with and leave everything else alone. NATing all traffic may not be ideal in some cases, but filtering traffic that isn't desired is critical. Establishing an initial connection is, of course, necessary so that the server recognizes what the source address should be.