Distributed Denial Of Service (DDoS) attacks are familiar threats to Internet users for more than ten years. Such attacks are carried out by a “Bot net”, an army of zombie hosts spread around the Internet, that overwhelm the bandwidth toward their victim Web server, by sending traffic upon command. This paper introduces WDA, a novel architecture to attenuate the DDoS attacker’s bandwidth. WDA is especially designed to protect Web farms. WDA is asymmetric and only monitors and protects the uplink toward the Web farm, which is the typical bottleneck in DDoS attacks. Legitimate traffic toward Web farms is very distinctive since it is produced by humans using Web browsing software. Specifically, such upload traffic has low volume, and more importantly, has long off times that correspond to human view time. WDA utilizes these properties of legitimate client traffic to distinguish it from attack traffic, which tends to be continuous and heavy. A key feature of WDA is in its use ...