"That tension is probably the most interesting part of the paper," Zuckerman admitted. "To prevent DDoS, you have to move to a [hosting provider] big enough to defend your site, but the problem with that is you have to find the right provider."

The largest hosting services, dubbed "Tier 1" firms, have a decided advantage over smaller providers, an even bigger one over organizations that try to host their own site, Zuckerman pointed out.

"If you're a Tier 1 ISP, you're on a bunch of closed mailing lists, you're part of a trusted system, you probably are friends with people who work at other Tier 1s, you have deep contacts in the space, so you can call someone up to ask them to null route traffic to help you get over this attack," said Zuckerman. "That's actually how DDoS prevention often works."

Smaller ISPs, or groups self-hosting, aren't part of this "old boy" network, and are out in the cold.

"In certain DDoS attacks, like those that simply overwhelm your site's bandwidth, you have to go upstream, filtering doesn't help," said Zuckerman, referring to the ISP that is "upstream," or higher in the Internet food chain. "If you can't access those guys at the larger ISPs, it's really hard to fend off an attack. So you're screwed."