Two methods are usually used to defend against distributed denial-of-service (DDoS) attacks: the first method provides lots of resources to satisfy requests, so that services cannot be denied; the other method builds a blacklist for denying requests.

This paper proposes a different approach: allocate a fair amount of bandwidth and resources, such as central processing unit (CPU) time and memory, to each connection, instead of trying to distinguish who is and who isn’t an attacker. The assumption is that attackers would use most of their uplink bandwidth to infiltrate; therefore, the method encourages all clients to promote their bandwidth usage. Under this scenario, malicious clients cannot react to the encouragement and good clients can obtain better service than before.

This method has three main steps: limit requests to a defending server to a threshold; encourage all clients to send more traffic (for example, by resending the same message); and proportionally allocate bandwidth owned by the server according to the delivered bandwidth of all clients.

The authors claim that the idea is also applicable to network address translation (NAT) and proxy environments. However, the corresponding evaluation is not included in Section 8, the experimental evaluation part. The claim that evaluation is based on local area networks (LANs) disregards the fact that, currently, many connect to the Internet via asymmetric digital subscriber lines (ADSLs).

While users with bandwidth to spare could apply this method, most users are controlled by service providers or run peer-to-peer (P2P) applications. Bandwidth is not something that users can control. The paper is written in a question-and-answer style, and the first part reads like an advertisement.