SRO: Trying To Stop The DDoS Train

“The recent wave of denial-of-service (DoS) attacks underscored
what has been a slowly ripening realization for solutions
providers: The old open-trust Net model is a sure recipe for
disaster. Unfortunately, the massively distributed architecture
that is the Internet contained within it the root cause of the most
serious of DoS attacks.”

“…there are some attacks that can be stopped. These are
the so-called ‘smurf’ attacks that use Internet Control Message
Protocol (ICMP) echo request packets aimed at overloading network

“One key to making smurf and other attacks work is address
spoofing—faking ad dresses so they appear as if they
originated from either within your own network or from a trusted
domain. There’s a twofold strategy for defeating those attacks.
First, configure all of your routers to deny IP-directed broadcast
traffic. That is a fairly safe maneuver; virtually the only time IP
broadcasting is required is for certain administrative tasks. The
second step is to filter all traffic at the edge for packets that
don’t originate on your internal network. Those sorts of problems
are tailor-made for something like policy-based firewalling.”