Preventing DDoS Attacks
The DDoS problem can only be remedied by a community effort and stricter security standards. First, administrators and home users alike need to make sure their machines are secure. The slaves used in DDoS attacks are often the product of autorooters, programs which scan thousands of machines, crack vulnerable ones and install software. Keeping patches up to date, closing open services, and implementing basic firewall filtering can help keep your machines from falling prey and participating in such an attack.
The major difficulty in defeating a DDoS lies in the spoofed IP addresses of the attackers. This problem can be solved using a technique called ingress filtering on routers. Ingress filtering inspects packets destined for the Internet at the border router, one hop prior to the core router. These routers should know the address of every device behind them; therefore, anything outside of this range is spoofed. Spoofed packets should be dropped before they reach the Internet backbone (or core router). If they reach that point, it's too late. If network administrators implemented such filtering by default, spoofing a packet would become nearly impossible, eliminating the timely identification process in the DDoS investigation. Unfortunately, most networks do not have these crucial filters in place, and spoofed packets abound. IPv6, which will be deployed in the future, also has security features in place that address this fundamental networking problem.
The community also recognizes the difficulty of reaching the proper technical contacts on neighboring networks and is actively working on a solution (see Bugtraq). You should have in place a list of administrative and technical contacts at your ISP. Additionally, determine if they have a procedure in place for identifying and dealing with DDoS attacks on their own backbone network. Some of the major providers have sensors in place that can identify sudden increases in traffic at certain points, which serves as a useful alarm for discovering and isolating major DDoS incidents. If you're currently shopping for an access provider, ask them about dealing with DoS attacks. If you already have a provider, ask the same question. The response should determine if you need to be shopping for a new one.
Conclusion
The distributed denial of service is a very effective attack, one that is difficult to stop. The ultimate solution will require a vigilant networking community that enforces strict standards. Currently, the best defense techniques lie in anticipating such an attack. Having a DDoS incident response plan in place is crucial. And the use of ingress filtering and tight security standards should ensure that a machine under your control does not contribute to the problem. An active, aware, informed community can make the DDoS headlines of today a relic of the past.