DDoS mitigation is a set of techniques for resisting distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks. This is done by passing network traffic addressed to the attacked network through high-capacity networks with "traffic scrubbing" filters. DDoS mitigation requires correctly identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and Javascript footprints.
Manual DDoS mitigation is no longer recommended due to DDoS attackers being able to circumvent DDoS mitigation software that is activated manually. Best practices for DDoS mitigation include having both anti-DDoS technology and anti-DDoS emergency response services. DDoS mitigation is also available through cloud-based providers.
Network-Layer Controls: by defining and enforcing IP whitelists and
blacklists, you can allow or restrict requests from specific
geographical regions and certain IP addresses.
Application-Layer Controls: pre-defined, configurable
application-layer firewall rules let you address categories such as
protocol violations, request limit violations, HTTP policy
violations and more.
Adaptive Rate Controls: by monitoring and controlling the rate of
requests against applications, you can automatically protect them
against application-layer DDoS and other volumetric attacks.
You may refer to this Blog Post. The author has incorporated some simple but effective tips.
If your own cloud, there are many vendors who provide Anti DDoS Services. To name a few you can : Cloudflare, AKamai, ... and so on.
My two cents: never stop reinventing the wheel.
