Disabling or removing services that the device is not using gives you a good start toward defeating attacks. Every active service is listening on an open port. Certain attacks, such as TCP SYN floods, rely on this fact. For example, a TCP SYN flood to TCP port 21 will not succeed if the FTP service on the target device is disabled. Of course, you can’t disable all services—devices legitimately need some in order to function properly and interact with other devices on the network. But there is no good reason to leave unused services running, and leave the device any more open to attack than it needs to be.

Unicast Reverse Path Forwarding (RPF) is a kind of security tool that confirms that traffic is coming from where it’s supposed to be coming from. When a packet arrives at a JUNOS device that is configured to use unicast RPF, the device does a route lookup to determine which path it should use to send return traffic to the originating device. If the packet’s incoming interface matches the interface the router would use to send return traffic, the packet is considered valid; otherwise, the packet is dropped.

Some attacks use IP spoofing as part of their attack, ...