how can someone protect his network against an d-dos?

only way i can think of is to block ip`s in a router..
but that even leaves the request for the d-dos somewhere...

I hope this helps you:
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

google rules

You have to stop it upstream... at your ISP...

You can turn off ICMP echo, but that's usually easier said than done, and oftentimes you need it on to know what is going on. Smart routers will realize when an ICMP DDoS is happening and shut off till the flooding stops.

Other strategies are to block how much is sent back in a reply. But really, if your ISP isn't blocking the DDoS for you, you're going to have a hard time anyway, cause the packets are still coming in, you're just not responding to them.

if u ask me firewall/router usually but there are other ways which are not so practical

call ISP

whats with your pic?

If it's a really hard one, only the ISP can do something. There are some cases though that even the ISP couldn't handle it, backbones had gone down some years ago. A plus to that more hard is the DDos on services, this could cause services to malfunction or crash. I have seen core routers going blind, and networks to disappear with a DDos over bgp.

In any case ddos is really bad and hope you will never get to have one on your network.

Dinos

I think the best way companies do this is by killing everything incomming

Nothing is recieved, and all packets are dropped
This way, they can't be port scanned or even hacked

This is why large companies (Sempra Energy) have not been hacked...

Because nobody knows their IP ranges, since they can't even ping them

Try disabling NETBIOS, DCOM, and block all incomming ICMP/DHCP (DHCP exploit) packets

Some Firewalls block DDos, like Sygate Personal Firewall. Works Great! It logs attacker IP, MAC, Dos Type and description, and time...

Well, those personal firewalls don't really fix DDOS in any respect. The fact that they block the packets is really not important at all. There are a number of products that will help screen out DOS attacks like the Radware Defense Pro but by the time it gets to that unit (normally sitting behind your router) than your upstream pipe has already been taken up.

There is also a services provided by some ISPs to have automatic DDOS protection but then again they need to have enough bandwidth to not be taken down by it as well.

Generally most ISPs are banding together to help prevent DDOS but it's still a big problem

--P>G>>

He he... sempre.com... no ping...

In any case, he is right in some respects if you respond to nothing many of the scans out there will pass you by. And for serious security having all of your services outsourced (like perhaps your website sempre.com?) will help keep your main site secure. But if you do have services running at your site (like most companies) than turning off ping helps but many scans are service based looking for a specific vulnerability. Many of the hacks out there aren't target based, but if they are then folks can do some simple DNS/whois digging to find you.

Generally I recommend some pretty cheap but very effective security measures, first... have your ISP be your primary MX and have them forward your mail into you. This is a cheap way to add a whole lot of security but without much cost (most ISPS will do this free with a T1). Then put a rule in your firewall to only allow access from your ISP's mail server. Then take your website to a hosting service, if your web site isn't like amazon and you don't have a major web farm than moving it up to a hosting service is a great way to secure yourself and save time and money by not having to worry about it.

If you have webmail, if you can afford it put something that does automatic proxying for it like the MXExtreme product or create a very specific reverse proxy for it (be carefull though).

Alright... enough rambling...

--P>G>>

yes it all depends on your ISP.
well just 2cents from me:
I used to have a public provider called Chello (UPC group you may know it). I used to get few hundred of spam,porn and virus mails every week because they use an open mailserver and don't filter nothing. this is the problem with a big ISP which is ment to be for everyone's use. they cant filter your mails for you.
I got enough from them and switched provider.
Now I got myself a 220euro per month connection and I'm directly connected to the providers backbone. I have a backup account which will be switched to when needed (has not happend so far).
All emails are filterd by my provider, the only mails I get are when I order food online
All risky ports are filtered for the outside world, if I need to have something opened I would have to tell my ISP. If I have security problems or other problems I write them a mail and they call me 5 minutes later. (well for 220euro a month ^^)

Oh well enough...
All I want to say is if you are serious with your internet buisness you need a serious ISP not one of that public ones, not one of that normal untrusty-unreliable- and-not-responding-to-anything telecom providers.