ECMP and DDoS Client Authentication
When deploying DDoS Mitigation, it is normal to enable certain kinds of client authentication method to determine a client is valid or not. For example, DDoS mitigator might use TCP authentication to prevent a SYN Flood attack: The first TCP connection from a client will never reach the intended server. The DDoS mitiigator will check the 3 way handshake behaving as the target server by responding a SYN ACK. Assuming only valid client will then proceed to response a ACK thus to finish the handshake, only then this client is considered a valid client. While mitigator will still RST the connection and forward all subsequent connections from the same client. If a client could not finish 3 way handshake (no ACK is received), mitigator could either try keep authenticating or put this client IP in a blacklist to drop all connections. But, when deploying multiple DDoS mitigators using ECMP, extra considerations are needed for any type of client authentications. ...