@@ -792,7 +792,7 @@ DNS over HTTPS (DoH)
792792
793793 *Capacity is another aspect of network infrastructure that is
794794 vulnerable to malicious attack. Such attacks—or as they are
795- commonly known, * Denial of Service (DoS) * attacks—threaten
795+ commonly known, * Denial of Service (DoS) * attacks—threaten
796796 availability (as opposed to confidentiality or integrity). They
797797 typically involve an adversary trying to overwhelm "good" resources
798798 (link bandwidth, packet forwarding rates, server response
@@ -801,24 +801,24 @@ DNS over HTTPS (DoH)
801801 devices). Many of the defenses described in this book help protect
802802 devices from being compromised in the first place, but because they
803803 are not perfect (a human is usually the weakest link), we also need
804- ways to mitigate the impact of a * Distributed DoS (DDoS) * attacks.
804+ ways to mitigate the impact of * Distributed DoS (DDoS) * attacks. *
805805
806- The DDoS challenge is addressed by two general countermeasures;
806+ * The DDoS challenge is addressed by two general countermeasures;
807807 there is no silver bullet. The first is to absorb potential attacks
808808 with even greater resources than the adversary is able to
809809 muster. For content, this is done using the same mechanism as is
810- used to absorb flash crowds of legitimate traffic: a * Content
811- Distribution Network (CDN) *. The idea is to replicate content
810+ used to absorb flash crowds of legitimate traffic: a * Content
811+ Distribution Network (CDN). * The idea is to replicate content
812812 (whether it's a movie or a critical piece of infrastructure
813813 metadata) across many, widely-distributed servers. As long as the
814814 aggregate capacity of these servers is greater than the aggregate
815- capacity of the botnet, content remains available. This notion of
816- * aggregate * capacity generalizes beyond servers responding to GET
815+ capacity of the botnet, content remains available. This notion of *
816+ aggregate * capacity generalizes beyond servers responding to GET
817817 requests. A network is itself a distributed collection of
818818 forwarding and transmission resources, engineered to distribute
819- those resources in a way that avoids vulnerable bottlenecks.
819+ those resources in a way that avoids vulnerable bottlenecks. *
820820
821- The second countermeasure is to filter malicious traffic as early
821+ * The second countermeasure is to filter malicious traffic as early
822822 (close to the source) as possible. If a DoS attack comes from a
823823 single source, then it is easy to "block" traffic from from that
824824 source at an ingress to a network you control. This is why DoS
0 commit comments