Many distributed DoS attacks take advantage of address “spoofing” by randomly selecting an address in the source field of IP packets. In some attacks, this source address is deterministic to the target network under attack. In other words, this address will be taken out of the network’s address block to create attacks on other internal machines generating ICMP error messages or other traffic back to the spoofed addresses. You can protect yourself from these types of attacks by applying ingress filtering at the edge of your network, which denies incoming packets with addresses out of the network’s address block. This filtering has traditionally been solved with an inbound packet filter.

Referring back to the topology in Figure 6-2, note that three internal address blocks are assigned to PBR, Ale, and Bock’s network:

So, a simple filter would deny any addresses from those address blocks coming from the WAN connection off PBR:

[edit firewall]
lab@PBR#show
family inet {
    filter spoof-prevention {
        term my-addresses {
            from {
                source-address {
                    10.10.128.0/22;
                    10.20.128.0/22;
                    10.10.12.0/22;
                }
            }
            then {
                count spoofs;
                log;
                discard;
            }
        }
        term allow-rest {
            then count no-spoof;
        }
    }
}

Apply the firewall filter as an input filter on fe-0/0/0.412 and fe-0/0/0.413:

lab@PBR#show interfaces fe-0/0/0 vlan-tagging; unit 412 { description PBR-to-Wheat; vlan-id 412; family inet { filter { input-list spoof-prevention; } address 172.16.1.2/24; ...