They should just run the servers with a blacklist on all, and a whitelist for allowed IPs (to connect to the server).
I would think the DDOS would have to be insanely massive if all it was able to send through was a failed connection to the firewall.
|