“Ironically, DDoS attacks are so technically crude that they
can be almost entirely prevented by a simple change in most
networks. Systems that spread the DDoS attack failed to have
‘egress filtering’ turned on.”
“Either fix involves a simple change to a configuration file for
a router. It imposes no performance penalty, because the system
only checks that the address prefix of each packet is valid. The
Internet Society provides a paper called Request for Comments 2267
that describes these procedures and other steps to take (see
info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt).”
“In addition, firewalls are essential protection for any system
with a high-speed connection to the Internet. WatchGuard
Technologies, which I wrote about in several columns last fall,
offers five firewall appliances scaled for small to large
businesses. WatchGuard provides an excellent white paper on the
latest attacks (see www.watchguard.com/press/ddos1.asp,
particularly the Resources section).”