DDos attacks?

[Christopher Wagner]

I was reading http://grc.com/dos/drdos.htm and was thinking (a dangerous
thing, I know), what are others doing to fight this?

To quote:
--
A reflection server exploitation prevention system could be easily built
into a server-resident firewall application. However, expecting (or
relying upon) every server on the Internet to be running such an
altruistic application is probably unrealistic. Asking, or requiring,
ISP's to provide spoofed packet network egress filtering would seem to be
far more feasible . . .

The ISP's responsibility

The generation of traffic for a reflection attack depends upon source IP
address spoofing. If ISPs would begin adopting the practice of preventing
the escape of fraudulently addressed packets from within their controlled
networks, this potent attack, and its many cousins, would die overnight.
In addition to being the right thing to do by helping to prevent abuses by
their customers upon those outside the network, egress filtering also
enhances the security for an ISP's own customers because malicious hackers
would soon learn that their spoofing attack tools would not function
within an egress filtered ISP network.
--

Assuming that everyone is already familiar with the author, what do you
think
about Gibson?  Is he full of hot air?  I know he's somewhat of an alarmist,
but is he worth listening to (of course, with a grain of salt)?  He seems
to have some valid points...

Any ideas of what I can do to protect myself from becoming a reflection
server?  Are there iptables rules to help prevent this?

- Christopher Wagner
chrisw at pacaids.com

Packaging Aids Corporation - Information Systems
P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116