While the threat of DoS attacks can’t be eliminated, it can be reduced through the following three methods:

• Anti-DoS features Proper implementation and configuration of anti-DoS features available on routers and firewalls can help limit the effectiveness of an attack. These features could include limiting the number of half-open connections allowed at any given time or limiting the number of certain types that can originate from a source address.

• Antispoofing features Proper implementation and configuration of antispoofing features on routers and firewalls can help limit a hacker’s ability to mask their identity. RFC 2827 filtering should be configured at a minimum (see the upcoming section “IP Spoofing”).

• ISP traffic rate limiting The ISP agrees to filtering limits on the amount of nonessential traffic that can cross link(s) to the company at one time. The filtering might limit the volume of ICMP traffic, a common source of distributed denial of service (DDoS) attacks, into a network because it’s used only for diagnostic purposes.