=== DDoS ===
Protecting a network from a "real", large scale DDoS (distributed denial-of-service) attack is impossible on premise
[[http://en.wikipedia.org/wiki/DDoS ]], even though some may claim it is. It's simply a matter of link/bandwidth saturation (sometimes both inbound and/or outbound). For smaller (DDoS/DoS) attacks, we feature some known-to-work mitigation techniques such as SYN proxies and TCP normalization, connection-limits and traffic shaping.
To protect a network/service from a DDoS attack, one should: