| Where | What | Who | How | Novel/shared | Trust/coordination | State | Alignment | |
| A.1.[.1] | Routers | none (local router config) | Sources-only (local) | Trust is inherent as configs are local to routed resource holders | prevent admission of attack traffic | none needed | routers | Fully misaligned. Beneficiaries cannot deploy. Deployers gain no benefits |
| [A.1.2] | Routers | router upgrade state and processing in routers | Cadres of on-path ISPs (transit) | router state and enforcement | in-network processing | 1:n destination to all sources | routers | Fully misaligned. Beneficiaries cannot deploy. Deployers gain no benefits |
| [A.1.3] | Routers | partial router upgrade, state in packets | Cadres of on-path ISPs (transit) | packet state and router enforcement | in-network processing | 1:n destination to all sources | routers | Fully misaligned. Beneficiaries cannot deploy. Deployers gain no benefits |
| A.2.1 | Routers+packets | router upgrade (processing in routers and state packets) | Cadres of on-path ISPs (transit) | Packet state annoteated + router enforcement | state in packet, precompute auth | 1:n destination to all sources | packets and/or routers | misaligned: on-pathrouters do not benefit from deployment |
| A.2.2 | Routers+packets | router upgrade (state in packets) | on-path routers (transit) | ongoing packet annotation | simple | none needed | packets and routers | misaligned Deploying routers gain no benefit |
| A.3 | Routers+endhosts | Address renumbering + router upgrade | global: all routers (transit) | destinations disseminate reachability with authorization | eliminate attack surface | n:m Global resource certification neeed | routers | misaligned global cost/flag-day needed |
| B.1 | Routers | router upgrade (ML processing) | on-path routers (transit) | ML on locally observed traffic | Drop based on local observations | N/A | routers | Aligned. Routers upgraded at victim, but reduced benefits of detecting at receiver |
| B.2 | Routers | router upgrade (ML processing) | on-path routers (transit) | ML on locally observed traffic | Drop based on local observations | N/A | routers | Misaligned. Routers outside of victim gain no benefit from upgrade, and less accurate than B.1 (though greater global protection) |
| B.3 | Routers | router upgrade (ML processing) | on-path routers (transit) | ML on locally observed traffic | Drop based on local+distributed observations | n:m inter-ISP trust needed | routers | Misaligned. Routers outside of victim gain no benefit from upgrade, more accurate than B.2, and better position to mitigate than B.1, but requires distributed authorization and trust (not specified) |
| C.1 | Routers | none (local routing update) | Sources-only (local) | Route attack traffic to blackhole | Stop attack at source(s) | n:m inter-ISP trust needed | routers | Aligned (sources directed by victims), but collatoral damage |
| C.2 | Routers | none | MaaS providers only (local) | Route announcement to dedicated infrastructure | No infrastructure changes needed | 1:1 business incetivized | N/A | Fully incentive aligned, but scalability misaligned |
| C.3.1 | Routers | Traffic filters | Access provider ISPs (and upward) (transit) | New peering negotation/authorization, then destinations push filters | Reduced data-plane state, increased control-plane complexity and state | 1:n inter-ISP trust needed | routers | Partial alignment, access providers get paid to privide service, but not all customers may want/benefit from upgrade. Potential for filters to impact other customers |
| C.3.2 | endhosts and overlay-routers | endhosts | endpoints and overlay (local) | transmit/recieve all service traffic over overlays | No changes needed to existing routing infrastructure | 1:1 business incetivized | Overlay+endpoints | Full alignment. But sclability mismatch (all traffic must be supported/supportable over overlay infrastructure), and endpoints must use overlay network stack |
| C.4 | endhosts and overlay-routers | endhosts and service-routers | endpoints and overlay (local) | L7 puzzles to transmit ``moving'' service location | No changes needed to existing routing infrastructure | 1:1 business incetivized | endpoints | Full alignment. But sclability endpoints must use MTD admission and additional IP destinations needed (to move between) |
| D.1 | edge | routers upgrade | individual networks (local) | Builds detection/mitigation into SDN control infrastructure | After network-wide upgrade to SDN, no further upgrades needed for full programability. | none needed | SDN controller | Aligned, but marginally effective as solution is inherently intra-domain and volumetric DDoS overwhelms victims by the time traffic gets there. |
| D.2 | routers | routers upgrade | global: all routers (transit) | Routers mark congestion and signal each other | Simplifies DDoS detection (as congestion), but requires peering control-plan coordiantion and symmetric key establishment across administrative borders. | 1:n inter-ISP trust needed | routers and packets | misaligned. Deploying routers gain no benefit, but excesive drops are a risk and additional peering complexity is a risk |
| D.3 | routers | Router upgrade | Access provider ISPs (and upward) (transit) | Like-minded communities of trust/client-vendors share observed events. Subscribers implement filters after being notified | Opt-in protections | n:m inter-ISP trust needed | Routers | Aligns, mult limited efectiveness with limitted deployment, needed upgrades at ISP may only benefit some customers |