The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack
is to deny all:

A.
outgoing traffic with IP source addresses externa! to the network.

B.
incoming traffic with discernible spoofed IP source addresses.

C.
incoming traffic with IP options set.

D.
incoming traffic to critical hosts.

Explanation:
Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the
cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine;
in both cases, applying this filter will stop the attack.