How can a website distinguish between lack of capacity and a denial-of-service attack? For example, websites often experience a tremendous increase in volume of traffic right after an advertisement with the site’s URL is shown on television during the broadcast of a popular sporting event. That spike in usage is the result of normal access that happens to occur at the same time. How can a site determine that high traffic is reasonable?

What will be an ideal response?

A key factor is what the traffic does: do people access the site, browse the content, and perhaps engage in a transaction, or are the requests one-­?shot transmissions: ping or session setup messages? Unfortunately, a front-­?end router cannot easily distinguish session setup messages from legitimate users versus those from attackers, because good and bad sessions both begin with a setup. Over time, a site can see an abnormally high number of incomplete sessions or other single event.