Security and Robustness Denial of Service Attack Mitigation Caveat: very difficult to combat bandwidth-based DDoS There are two major problems: Ruleset evaluation costs (packets per second which don't match an existing connection) Memory pressure: Number of concurrent connections Techniques include: synproxy adaptive timeouts max-src-states and max-src-nodes max-src-conn and max-src-conn-rate Input queue congestion handling ALTQ