InfoWorld: We can prevent those distributed denial of service attacks with 'egress filtering'Feb 26, 2000, 17:06 (4 Talkback[s])
(Other stories by Brian Livingston)
"Ironically, DDoS attacks are so technically crude that they can be almost entirely prevented by a simple change in most networks. Systems that spread the DDoS attack failed to have 'egress filtering' turned on."
"Either fix involves a simple change to a configuration file for a router. It imposes no performance penalty, because the system only checks that the address prefix of each packet is valid. The Internet Society provides a paper called Request for Comments 2267 that describes these procedures and other steps to take (see info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt)."
"In addition, firewalls are essential protection for any system with a high-speed connection to the Internet. WatchGuard Technologies, which I wrote about in several columns last fall, offers five firewall appliances scaled for small to large businesses. WatchGuard provides an excellent white paper on the latest attacks (see www.watchguard.com/press/ddos1.asp, particularly the Resources section)."