What are the best techniques for preventing denial of service attacks?

Solution 1:

Preventing a DDoS is mostly about not being a target. Don't host game servers, gambling/porn sites, and other things that tend to get people annoyed.

Mitigating a DDoS attack comes in two forms:

• being able to ignore traffic and shed excess load, which is useful when you're under an attack that tries to take you down by overloading your machines (and also comes in handy if you ever get "Slashdotted";
• being able to reject abusive network traffic upstream of you, so that it doesn't clog your links and take out your connectivity.

The former is somewhat dependent on what exactly you're serving, but usually comes down to some combination of caching, overflow handling (detecting when the servers are "full" and redirecting new connections to a low-resource-usage "sorry" page), and graceful degradation of request processing (so not doing dynamic rendering of images, for example).

The latter requires good communications with your upstreams -- have the phone number of your upstreams' NOCs tattooed to the inside of your eyelids (or at the very least in a wiki somewhere that isn't hosted in the same place as your production servers...) and get to know the people who work there, so when you call you'll get immediate attention as someone who actually knows what they're talking about rather than just being some random johnny.

Solution 2:

You don't mention what kind of perimeter security you have in place. With Cisco firewalls you can limit the number of embryonic (half sessions) that your firewall will allow before it cuts them off, while still allowing full sessions to go through. By default it's unlimited, which offers no protection.