Assumptions and biases
- Ingress filtering, reflectors, etc. cause us to underestimate # of attacks
- Can bias rate estimation (can we test uniformity?)
- Packet losses, server overload & rate limiting cause us to underestimate attack rates/durations
- Can be biased by purposeful unsolicited packets
- Port scanning (minor factor at worst in practice)
- Do we detect backscatter at multiple sites?