Assumptions and biases
Address uniformity
- Ingress filtering, reflectors, etc. cause us to underestimate # of attacks
- Can bias rate estimation (can we test uniformity?)
Reliable delivery
- Packet losses, server overload & rate limiting cause us to underestimate attack rates/durations
Backscatter hypothesis
- Can be biased by purposeful unsolicited packets
- Port scanning (minor factor at worst in practice)
- Do we detect backscatter at multiple sites?