Anycast will not work for P1999 because we cannot replicate our service across multiple data centers (that would result in 10 copies of the server). Turp the problem with your diagram is that somehow your router is magically detecting which traffic is 'bad' and sending it elsewhere, and unfortunately that is not possible.
I think Rogean could actually do a lot more against these attacks then he has, probably because he has a job and such. Some interesting things:
- Why not keep a list of IPs that send each packet and crossreference against the list of IPs that are logged in? It would not surprise me at all if this is one guy, or one IP is sending a hugely different set of packets than anyone else. Probably they have only found one vulnerability and are just hammering on it, so you should see 1 IP with 95% "requesttrackinginfo" packets or something when no one else has more than 20%.
- Detecting a DOS attack should be fairly easy (just have a ping process or monitor cpu load or whatnot) and at that point enable profiling to see which part of the code they are attacking (if they are overloading the CPU, not the network)
- Search the logs for AON transactions and try to trace them back to their source to find which ones were duped and which characters acquired the duped ones.
The corollary to all of this is that I'm making the assumption they are sending Everquest packets because they have found some vulnerability in the server code. If they are just flooding the datacenter with DNS packets or whatnot, there is nothing Rogean can do other than pay for more bandwidth.