Proactive steps to prevent DDOS?

Most are suggestions for what other networks can do to prevent them from
being a source of a DDOS attack. There is less help for what the target
of a DDOS can do.

Unfortunately, the current draft document for the Center for Internet Security
( Solaris security checklist suffers from the same problem.
It mandates RFC2644 broadcasts, RFC1918 martian and RFC2827 egress filtering,
but I couldn't find any stuff on the victim end of it.

If anybody can provide me with a good reference, I'll be happy to add it and
give credit. is what I have currently
on filtering. If you have a *partial* reference (something that will work
for *many* or *most* sites, for example), I am able to phrase it as
"Evaluate the techniques listed at <URL> for appropriateness".

Anybody got input to add?

        Valdis Kletnieks
        Operating Systems Analyst
        Virginia Tech

As far as I know, with the current level of awareness, everyone's working
hard on prevention or protection from vulnerabilities of DOS/DDOS. But when
it comes to what to do when you are in the thick of a DOS or DDOS attack,
the jury is still out on that one, I guess.

What I have learned from a white paper by Barry Greene of Cisco are the
following tibbits for "when you are in it":
After an attack is identified or classified, if
1. Spoofed RFC1918 and special use addresses - block or drop it.
2. Spoofed addresses that are not in Global route table - drop it.
3. valid address from a compromised DDOS agent - either drop it or rate
limit the port.
4. spoofed valid address from somewhere on the Internet - the hardest to
deal with, no clear course action for this.

You can get the more out of the white paper off Cisco's web site at

additional articles include:

Hope this helps,
Just my thoughts