If you can distinguish DDoS traffic from legitimate traffic as described in the previous section, that can help mitigate the attack while keeping your services at least partially online: For instance, if you know the attack traffic is coming from Eastern European sources, you can block IP addresses from that geographic region. A good preventative technique is to shut down any publicly exposed services that you aren’t using. Services that might be vulnerable to application-layer attacks can be turned off without affecting your ability to serve web pages.
In general, though, the best way to mitigate against DDoS attacks is to simply have the capacity to withstand large amounts of inbound traffic. Depending on your situation, that might mean beefing up your own network, or making use of a content delivery network (CDN), a service that is designed to accommodate huge amounts of traffic and that has built-in DDoS defenses.
Your network service provider might have its own mitigation services you can use, but a new strategy observed in 2024 is to keep attacks under the thresholds where the automatic traffic filtering solutions of ISPs kick in. Even smaller DDoS attacks can take down applications not designed to handle a lot of traffic, for example industrial devices exposed to the internet for remote management purposes.