Distributed Denial-of-Service (DDoS) attacks are pernicious — maybe intractable — problems on the Internet. The attacker starts by compromising vulnerable computers all over the Internet (on many different backbones and subnets), then directs them all in a coordinated attack against the target, flooding it with traffic. Since the attack comes from all over the Internet, you can’t just simply filter out a few addresses. The traditional solution is to identify all the compromised computers (zombies), one at a time, figure out who their ISP is, find someone at the ISP who can give you a phone number for the zombie’s owner, call them up and ask them to shut down and di-virify their computers. This is pretty time-consuming, and an attacker can usually make new zombies faster than you can kill them. Now a collection of security companies is trying a new solution: a piece of software for ISPs that watches the traffic their users are sending, automatically identifying and shutting down zombies as they appear. This is the DDoS equivalent of the “best-practice” for ISPs’ mailservers, where they block open mail-relays, which makes spamming much, much harder. Of course, spam persists, and presumably, so will DDoS attacks. Link Discuss (via /.)