A number of Swedish media sites are down right now, newspapers and stuff, due to a DDoS attack of some kind. Now, this is serious. News sites are at the core of a free and open society.
This got me thinking about how to solve DoS in general and there are ways. I’d suggest two mechanisms.
1. Move from a pull model to a push model for subscribed web content. Push can be done from any old place, so there’s nothing for the attackers do DoS. I’d imagine the client to have a front end or proxy that checks for the right digital signatures to allow content in. The bad guys can still DoS the clients, but with very little return on investment. Not so surprisingly, we don’t have the required technologies in place, but there’s an abundance of components already in existence for such a system, so it should be straightforward to assemble.
2. For those services that can’t be done with push, use a smarter client that is able to go look for services according to preset algorithms or using a form of dynamic DNS. IOW, move the load balancer to the client side instead of the server side. (I’ve done this, it works.) This won’t eliminate a DoS entirely, but will make it orders of magnitude more difficult.
The problem here is that there is no incentive for the large hosting players to do anything that diminishes the need for giant pipes and huge data centers. So we can’t count on them to help out.