I can't stand DDoS attacks, when I was in the webhosting industry we used to suffer them all the time as we hosted several different right wing political websites that attracted a lot of heat. The issue with DDoS attacks is that the majority of the servers are generally from all over the world and have been compromised through weak security in which a hacker has gained access to a server via several methods, sometimes bruteforce and then infects the server with a trojan. From there, they setup a botnet from IRC and literally use all the infected servers to flood a server or a router with bogus packets in attempts to take the server/router offline. I remember times when my bill was exceeding 10,000 dollars a month as I would be attacked in the wee hours of the morning, I eventually got fed up with it and set up MRTG graphs as well as hired a cage monkey and 2nd system admin to nullroute the servers in the event a DDoS attack happened so I wouldn't be losing a ton of money due to an attack.
Unfortunately preventing DDoS attacks is very difficult, many of the largest companys have been unable to completely stop them. There was an Israeli company called bluesecurity about 2 years ago who was dedicated to stopping spam, they were known to use some pretty questionable tactics but it worked, their methods were so effective that some of the worlds largest spam rings took it as a threat and DDoS attacked them for a week. The company shut down shortly after and spam tripled.
The only ways I know of to prevent attacks.
The investigative process should begin immediately after the DoS attack begins. There will be multiple phone calls, call backs, emails, pages and faxes between the victim organization, one's provider and others involved. It is a time consuming process, so the process should begin immediately. It has taken some very large networks with plenty of resources several hours to halt a DDoS.
The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack.
Filtering is often ineffective, as the route to the filter will normally be swamped so only a trickle of traffic will survive. However, by using an extremely resilient stateful packet filter that will inexpensively drop any unwanted packets, surviving a DDoS attack becomes much easier. When such a high performance packet filtering server is attached to an ultra high bandwidth connection (preferably an Internet backbone), communication with the outside world will be unimpaired so long as not all of the available bandwidth is saturated, and performance behind the packet filter will remain normal as long as the packet filter drops all DDoS packets. It should be noted however, that in this case the victim of the DDoS attack still would need to pay for the excessive bandwidth. The price of service unavailability thus needs to be weighed against the price of truly exorbitant bandwidth/traffic.
SYN Cookies
SYN cookies modify the TCP protocol handling of the server by delaying allocation of resources until the client address has been verified. This seems to be the most powerful defense against SyN attacks. There are Solaris and Linux implementations. The Linux implementation can be turned on during runtime of the Linux kernel.
Firewalls
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Your router may be affected even before the firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.
Modern stateful firewalls like Check Point FW1 NGX & Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender", as it confirms TCP connections are valid before proxying TCP packets to service networks (including border routers). A similar ability is present in OpenBSD's pF, which is available for other BSDs as well. In that context, it is called "synproxy".
Switches
Most switches have some rate-limiting and ACL capability. Some switches provide automatic and or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing.
These schemes will work as long as the DoS attacks are something that can be prevented using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.
Routers
Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings.
Application front end hardware
Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.
IPS based prevention
Intrusion-prevention systems are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. IPS systems which work on content recognition cannot block behavior based DoS attacks.
An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.
A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.
