A Distributed Denial Of Service (DDOS) attack is an attempt by a malicious party to prevent legitimate users of using your services. With a DDOS attack this is typically accomplished through flooding, a process whereby multiple clients generate traffic to your site that takes up all capacity of your site so it stops responding to legitimate request.
There’s a number of solutions available against these type of attacks but they tend to be ineffective mostly because they’re either dependent on your own infrastructure or they are reactive meaning that they will respond after the attack has started. If DDOS attacks need to be blocked in/on your own infrastructure you will very quickly run out of capacity as the attacker can generate more traffic than your own infrastructure (firewalls, switches, load balancers) can handle. So anytime you’re dependent on blocking DDOS attacks in your environment you’re already too late, it needs to be stopped before it gets to your doorstep. Now if you have deep pockets there’s options available that run at the ISP level. They’re basically IPS/IDS like solutions that will detect anomalous traffic and blackhole this traffic. This will avoid the traffic getting to your infrastructure but these are expensive solutions that aren’t available to your run-of-the-mill website owner.
So whats the solution to an attack that is capacity based? Have more capacity than the attacker. That sounds like a bad solution as you don’t have infinitely deep pockets to keep adding capacity for the unlikely event you’re being targetted by a DDOS attack. Fortunately there’s a very easy way of getting additional capacity beyond the means of any DDOS attacker: use a Content Delivery Network. A CDN is a proxy solution that can be used to deliver content close to a target group which offloads traffic from your website. There’s a number of services available like Akamai, Amazon CloudFront or MaxCDN. If you use a CDN and your site is being attacked with a DDOS attack is actually not your site being attacked but the CDN. And the CDN has tons and tons of capacity that no normal DDOS will be able to saturate. In normal circumstances the costs of using a CDN will be low enough not to give you any headaches but when a DDOS is mounted you will see a spike in traffic. This will generate costs as the CDN is responding to way more traffic than usual but your site is protected against the DDOS attack. The decision whether you want those costs is up to you but at least there is a sure fire way of countering a DDOS attack.
Now setting this up for a static website is simple but things get a bit more complex with a dynamic, personalised site. Even then you can use a CDN to your advantage. Most DDOS attacks are simple scripts without the capabilities of a full browser. You could decide to host a static homepage on the CDN that loads a Javascript or Flash animation that needs to be executed before you move to the dynamic site. The DDOS script can’t execute the Javascript or Flash animation and fails the test. It will not proceed to the dynamic site. The firewall of your site is configured in such way that only traffic coming from the CDN will be accepted, there is no bypass.
If you’re willing to pay the price of a CDN you have every chance of surviving a DDOS.