Network denial-of-service attacks have one characteristic in common: spoofed addresses. This is one reason why "attacking back" is never wise: you could be attacking yourself (never a fun position to be in) or attacking an innocent third party whose only involvement with you is that the attacker spoofed their source addresses or launched his or her attack from their network.
Although most firewalls can block spoofed traffic, it's better to do that at your border routerthe router that connects you to the Internet or another network outside your control. Five rules in your border router can block almost all DoS attacks. The first two help prevent spoofing; the remaining three block other kinds of bad traffic from entering your network. When you offload this work from your firewall, it's got less traffic to process and more CPU time to better analyze application layer attacks. Herewith, the five rules:
Block all inbound traffic where the source address is in your internal network.
Why should there be traffic trying to enter your network that is coming from your network? This rule prevents someone from spoofing you.
Block all outbound traffic where the source address isn't in your internal network.
Why should there be traffic trying to leave your network that is coming from some place else? This rule prevents someone from using you to spoof someone else.
Block all inbound and outbound traffic where the source or destination address is in these ranges:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (globally nonrouted as defined in RFC 1918)
169.254.0.0/16 (Windows automatic private IP addressing)
Block all source-routed traffic.
The Internet's infrastructure is so good that it always routes around outages (and censorship, too); source-routed traffic these days is crafted traffic intended to accomplish some attack.
Block all fragments .
Attackers still use tools to create packet fragments to circumvent certain access control mechanisms. Note, however, that IPsec-based VPNs that use IKE for key negotiation won't work now because IKE packets are very long (it's the key lengths) and always get fragmented .
These rules seem to make sense, don't they? Yet we still see many networks that lack some of themespecially number 2. So be a good Internet citizendon't let attackers use you as a launching pad. And if you don't care about being a good citizen, you should care about legal implications: recent case law has been rejecting the "innocent third party" defense; it's becoming more probable that you can be successfully sued by a victim if that victim can demonstrate that your lack of security controls enabled a bad guy to launder attacks through your network. [6]
[6] For example, California law AB 1950 requires that certain businesses take reasonable security measures to protect personal information of California citizens . Numerous bills like this have been enacted or are pending in all 50 states.
