There really isn't any beyond having a large pipe connected to a network device capable of filtering a high volume of pps.

That has always been the problem with competently executed DDoS attacks. You need a very large pipe as Step #1 which is simply not cost effective for most businesses. :/

There's a tiny bit of hope in there. The article claims that bots are polling CNC about once an hour (I suppose because they don't want to DOS themselves). So one option is to shift your service to a different domain name every hour, and notify your customers by email that they have to connect to a different host. This might be a lot of trouble, but may still allow you to support existing business relationships which is better than nothing.

It get even better if you're publishing through a mobile app - that one can simply switch from one host to another on the fly without customer even being aware of the problem beyond a slight delay in connection. The list of hosts of would need to be distributed out of band as a tiny payload, either through a high-cost high-bandwidth channel (but in a very low volume, obviously, just the name of the new host), or via DNS TEXT records so that they are hard to decipher reliably and require custom programming and raise the cost of the attack. There might even be hosts that will hold your alternate host list for free, such as the iTunes App Store (app description or even an in-app purchase "description" field).

Speaking of high-cost high-bandwidth providers, I think another option would be to host a CAPTCHa there, and those who solve it, or have cookies to prove that they did, or have logged in with a valid account, get redirected to one from the rotating lists of your normal hosts, with names and IP addresses changing every few minutes. An AJAXy application can then try different hosts in turn or in parallel before following a link.

My reading was that their C&C monitoring stuff was polling once an hour, not the bots themselves

DDoS is the antithesis to an open and free internet from a free market perspective because it drives people to a few select providers for hosting and CDN services. In the end, the big players in those spaces who have the bandwidth win. It's not so much about who has the best innovation either as DDoS tends to be all about brute-force.

DDoS is the very exemplar of Freedom Markets (tm). Probably its defining quality.

Functioning healthy markets require regulation, protection of property rights, fair and impartial court system, enforcement, etc, etc.

In other words, just like there's no free lunch, there's no such thing as "free markets".

Actually there are providers which will sell you a port ACL as part of their DDoS mitigation service. These ACLs can block almost all of the BS volumetric attacks which will cripple you. Everything gets blocked on the provider side. NTT's pricing is especially reasonable. TWTC has a similar service.

Yes. But once again, that is someone with a large enough pipe.

People sell DDoS mitigation but that isn't anything close to a business being able to mitigate things and caring about best practices.

A 1gig circuit is a large pipe?

Also, what are you talking about? Are you claiming that NTT nor TWTC can mitigate a DDoS attack? If so, you're massively wrong.

> Also, what are you talking about? Are you claiming that NTT nor TWTC can mitigate a DDoS attack? If so, you're massively wrong.

Both are in possession of large networks which allow them to mitigate DDoS attacks.

The small business with the 1gbps pipe isn't "mitigating" the attack. Their provider is mitigating the attack in return for payment.

Use service like cloudflare, it's 250 dollars and you are UDP attacks completely free + a lot of TCP ones.

CloudFlare protection can be easily bypassed. These types of proxy services which offer decently cheap DDoS protection are fine for defending against small-time attacks, however, plenty of attackers have scripts capable of bypassing them.

You can't bypass with syn floods or udp flood. And if we are talking about size of attack in context of bandwidth, look at spamhaus and cloudflare case. That wasn't small. I admit that specialized, sophisticated attack from lets say top3 botnets would make damage and probably bypass cloudflare http protection. But if someone is making such an attack on you then probably you can afford getting prolexic.

What scripts are capable of bypassing CloudFlare/proxy services and how do they do it? Do they look for old DNS records that leak their Origin IP or something like that?

There are two ways to bypass CloudFlare and related services. 1) Most of the time, as Kephael said, websites expose their back end IPs through subdomains like ssh.domain.com or ftp.domain.com. MX records also sometimes function in the same way. There are a variety of ways to resolve a domain through CloudFlare. 2) CloudFlare bypass scripts can be bought for around $400 which manipulate the JavaScript per client when sending an attack (mainly by disabling JavaScript). This prevents the so called "challenge pages" from blocking malicious traffic, effectively slipping through CloudFlare protection. Most of these scripts work on most other providers such as Sucuri as well.

Here's how it could be done:

Spin up a hefty AWS instance and connect to every single IPv4 IP while sending a HTTP get request on successful connects with a Host matching that of the domain. There are only 4 billion IPs. Look for successful code 200's with the same headers and content as the original website. Easier said than done though.

Btw, this attack can be prevented if you run a drop-all firewall and only whitelist the IPs listed here: https://www.cloudflare.com/ips/

Frequently there will be MX records or something similar pointing directly to the server. Even error pages can potentially leak a direct, unprotected IP.

If your email is hosted on the same machine as your web server, I don't think DDoS attacks are your highest priority.