Flood Packet Signatures

Flood Packet Signatures
If one can create signatures for typical flood packets (TCP packets with
data size for instance, or unusually large ICMP packets) one can filter
out these packets while allowing normal traffic packets to proceed.
Obviously using signature-based packet filters leads to an arms race

between packet generators and signature writers, but this is one of the
usual dilemmas in the IDS arena. The same technology can also be used
to prevent attacks by filtering out control channels (see below). Since
the number of signatures for DDoS is rather small, it may be possible to
run this tool at relatively high throughputs.
Reject First IP packets
Another option is to reject the first IP packet from any IP address. This
works with the current generation of attack tools because they all tend
to use a flat distribution random number generator to generate spoofed
source addresses, and they only use each random address once. This
would only work for websites or other TCP-based servers, because TCP
is robust enough that if the first packet is rejected, it will send a second
request, along with all subsequent packets.
The main problem with this approach is that once the method is
discovered, hackers will adapt the tools to work around them by
sending multiple packets from each random source address. Another
possibility is to divert traffic based on IP protocol to different servers or
even route it differently. Hence, for a web server it might be possible to
route ICMP and UDP traffic bound for the web server somewhere else
entirely, or block it at the router.