Though there is no true means of defending against Denial of Service (DoS) attacks, the most effective means seem to be passive countermeasures. Passive countermeasures are used to prevent network resources from being taken over by crackers as clients for a DoS attack.
Specific passive countermeasures include configuring the router to do egress filtering, thus preventing spoofed traffic from exiting the network; asking the Internet Service Provider to configure routers to perform ingress filtering on the network; using a firewall that exclusively employs application proxies; and disallowing unnecessary ICMP, TCP, and UDP traffic. Moreover, if the ICMP traffic cannot be blocked, passive countermeasures can include disallowing unsolicited (or all) ICMP_ECHOREPLY packets; disallowing UDP and TCP, with the exception of a specific list of ports; and setting up the firewall to block any outgoing data traffic whose originating address is not on the protected network.
See Also: Active Countermeasures; Denial of Service (DoS); Firewall; Internet Control Message Protocol (ICMP); Internet Service Provider (ISP); Passive Attacks; TCP/IP or Transmission Control Protocol/Internet Protocol; User Datagram Protocol (UDP).
AXENT Technologies, Inc. TFN2K — An Analysis. [Online, March 7, 2000.] AXENT Technologies, Inc. Website. http://gaia.ecs.csus.edu/~dsmith/csc250/lecture_notes/ wk12/tfn2k.html.