Abstract: Techniques are provided for blocking forgiveness in a system that mitigates distributed denial of service (DDoS) attacks on a network. A user's network address can be blocked as a result performing human behavior analysis on network resource request activity from the user's address. The system can block an address temporarily based on their behavior, classifying legitimate human users as a malicious attacker performing a DDoS attack. But subsequent behavioral analysis of network resource requests can identify that the user should not have been blocked. The system can automatically unblock the user's address, and allow further network resource requests. Previously blocked requests can also be unblocked. The number of infractions (e.g., action classified as malicious) can be tracked and compared to a threshold. If the number is less than the threshold, then that address is not blocked, thereby allowing forgiveness of a certain number of infractions.

Abstract: A system can monitor the server for indications of an attack and adjusts server settings accordingly. In response, the system can increase server tolerance in a systematic way to deal with DDoS by adjusting server settings appropriately. Conversely, when the server is not under attack, the settings can be adjusted to those for standard operations (e.g., adjusted downward), as they are more optimal for normal, non-attack operations.

Abstract: Embodiments provide system and methods for a DDoS service using a mix of mitigation systems (also called scrubbing centers) and non-mitigation systems. The non-mitigation systems are less expensive and thus can be placed at or near a customer's network resource (e.g., a computer, cluster of computers, or entire network). Under normal conditions, traffic for a customer's resource can go through a mitigation system or a non-mitigation system. When an attack is detected, traffic that would have otherwise gone through a non-mitigation system is re-routed to a mitigation system. Thus, the non-mitigation systems can be used to reduce latency and provide more efficient access to the customer's network resource during normal conditions. Since the non-mitigation servers are not equipped to respond to an attack, the non-mitigation systems are not used during an attack, thereby still providing protection to the customer network resource using the mitigation systems.