SRO: Trying To Stop The DDoS TrainMar 10, 2000, 16:30 (0 Talkback[s])
(Other stories by Rich Santalesa, David Harvey)
"The recent wave of denial-of-service (DoS) attacks underscored what has been a slowly ripening realization for solutions providers: The old open-trust Net model is a sure recipe for disaster. Unfortunately, the massively distributed architecture that is the Internet contained within it the root cause of the most serious of DoS attacks."
"...there are some attacks that can be stopped. These are the so-called 'smurf' attacks that use Internet Control Message Protocol (ICMP) echo request packets aimed at overloading network traffic."
"One key to making smurf and other attacks work is address spoofing—faking ad dresses so they appear as if they originated from either within your own network or from a trusted domain. There's a twofold strategy for defeating those attacks. First, configure all of your routers to deny IP-directed broadcast traffic. That is a fairly safe maneuver; virtually the only time IP broadcasting is required is for certain administrative tasks. The second step is to filter all traffic at the edge for packets that don't originate on your internal network. Those sorts of problems are tailor-made for something like policy-based firewalling."