Stardate 20010821.0659 (On Screen): As a defense against distributed denial of service attacks, has anyone ever tried to implement an adaptive firewall? Every firewall I know of simply uses a hard block list, and that can only be changed by humans. Thus responding to a DDOS is very slow and painful because humans have to plow through firewall logs and manually set up block rules.
Why can't a firewall use a heuristic to monitor traffic from each source IP, and create temporary rules to block any IP which seems to not be playing nicely? If I receive three malformed packets out of any successive ten from you, then I'll block you for ten minutes. This might have to be distributed, since one of the purposes of a DDOS is to saturate a datapipe. This would be implemented as stand-alone boxes, offered as a service by network companies. A box would sit between the datapipe and the destination computer and monitor traffic (and act as a local firewall) and would, if need be, send messages upstream to a master firewall at the network company itself. These boxes could be updated with new heuristics on an ongoing basis, so that when the next "Code Red" appeared all the boxes could be programmed to deal with it once it was identified and analyzed. (discuss)