Manual DDoS mitigation is no longer recommended due to DDoS attackers being able to circumvent DDoS mitigation software that is activated manually. Best practices for DDoS mitigation include having both anti-DDoS technology and anti-DDoS emergency response services. DDoS mitigation is also available through cloud-based providers.
Methods of attack
DDoS attacks are executed against websites and networks of selected victims. A number of vendors are offering "DDoS resistant" hosting services, mostly based on techniques similar to content distribution networks. Distribution avoids single point of congestion and prevents the DDoS attack from concentrating on a single target.
One technique of DDoS attacks is to use misconfigured third-party networks that allow amplification of spoofed UDP packets. Proper configuration of network equipment, enabling ingress filtering and egress filtering, as documented in BCP 38 and RFC 6959, prevents amplification and spoofing, thus reducing the number of relay networks available to attackers.
- Gaffan, Marc (20 December 2012). "The 5 Essentials of DDoS Mitigation". Wired.com. Retrieved 25 March 2014.
- Paganini, Pierluigi (10 June 2013). "Choosing a DDoS mitigation solution…the cloud based approach". Cyber Defense Magazine. Retrieved 25 March 2014.
- Chai, Eldad (21 October 2013). "Incapsula’s Five-Ring Approach to Application Layer DDoS Protection". Incapsula. Retrieved 25 March 2014.
- Tan, Francis (2 May 2011). "DDoS attacks: Prevention and Mitigation". The Next Web. Retrieved 25 March 2014.
- Christian Rossow. "Amplification DDoS".
- "Network Ingress Filtering: IP Source Address Spoofing". IETF. 2000.
- "Source Address Validation Improvement (SAVI) Threat Scope". IETF. 2013.