Anti-DDOS alternatives

The primary goal of this solution is to prevent ARP spoofing by other computers on the local network. It uses a whitelist and blocks all other systems sending possible malicious ARP requests (e.g. with spoofing attack).

nftables is supposed to replace netfilter as the primary interface of network filtering. It is available since Linux kernel 3.13. Both netfilter and nftables have been co-authored by Patrick McHardy.

This tool provides a centralized method to distribute ipset blacklists.

A tool like Assimilator can be of great help to 'normalize' all firewall rules into one place. Especially when a company uses different firewalls, each with their own syntax and specifics. Assimilator will then simplify the way firewall rules are created and managed.

Douane is an application firewall that blocks unknown or unwanted traffic. It provides a more fine-grained filtering as it looks at the combination of application and used network ports. This is useful when allowing common browse traffic on port 80 and 443. Instead of all applications being able to use this port, only the ones that are granted access will be able to do so. When a new connection is not trusted yet, Douane will ask to allow or deny the traffic stream.

Port knocking tools typically hide services from the outside world by requesting a 'secret'. This secret is like a special way of knocking on a door, to let others know you can be trusted. It does not replace a password or other method of authentication, yet adds another layer to it.