You only need to consider that more than 4.4 million distributed denial-of-service (DDoS) attacks occurred in the second half of 2021, to know with certainty that such attacks are always happening. It\u2019s not a matter of if a company will be impacted by a DDoS attack, it\u2019s a matter of when.But enterprises don\u2019t have to cower and wait for the inevitable to occur. In fact, enterprises and service providers can block 90% of DDoS attacks with two simple steps: blocking IP address spoofing and controlling inbound traffic.Blocking spoofed trafficIP address spoofing occurs when a device forges its source address for the purpose of impersonating another device. This is a preferred move by attackers when launching reflection\/amplification attacks. Spoofing the source IP address forces an unwilling service to send its replies to the victim under attack.But there\u2019s no practical reason to allow spoofed traffic on the internet. If a network operator blocks this type of activity, it has zero impact on legitimate traffic.In fact, if all network operators (enterprises, service providers, and so forth) universally blocked IP address spoofing, it would render attackers incapable of launching spoofed DDoS attacks. Doing so would, in turn, block all reflection\/amplification DDoS attacks. Indeed, attackers are constantly looking for vulnerable devices inside corporate networks to launch spoofed DDoS attacks.\u00a0Blocking IP address spoofing is easy to do at the internet edge of the network by implementing a simple access control list (ACL). This requires negligible resources, and it ensures that only legitimate traffic is allowed to reach a company network.Likewise, internet service providers (ISPs) should implement ACLs at the subscriber edges. Doing so ensures that only inbound traffic originating from subnets is allocated to respective customers. It\u2019s also possible to implement controls such as this at the edges between local and regional ISPs, whereby the regional ISP can control the traffic that originates from local ISPs.Controlling traffic toward servicesEnterprises use the internet primarily for two purposes: accessing services\/information and providing services\/information to others. But regardless of the company\u2019s scope or scale, no organization provides all services to every user.As such, traffic should be limited in terms of what can be accessed. Strict access controls can be easily configured according to the type of services deployed. Doing so effectively blocks the majority of DDoS attacks with minimal effort. Think about multivector attacks, for example: when the majority of attack vectors are blocked, such attacks aren\u2019t possible.\u00a0\u00a0These strategies have proven effective for many enterprises around the world. For example, a large service provider was hit with a massive reflected DDoS attack in 2021. The attack was mitigated by predeployed ACL filters without any additional input from IT or security.\u00a0We discuss more about how network operators can successfully thwart cyberattacks by blocking spoofed IP addresses and controlling access to services in our\u00a02H 2021 Threat Report. Read it to better understand how to fully block or dramatically reduce the impact of DDoS attacks by using these strategies.Access the full interactive\u00a02H 2021 Threat Report\u00a0to learn more about how attackers are changing strategies to bring down VoIP providers.