The answer to your question only on the practical part of protection against DDoS pulls on a small book, well, or an hour report on the highload =))

Thanks to everyone for the answers, and so let's summarize temporarily:
We have several types of attacks, one of which is dosing the web applications and services themselves, *as for example, let it be old, but still (I need a fresh example, I will give it) www.securitylab.ru /vulnerability/203865.php * software update, scripts.
Further, with a small attack, we can use some kind of software, web services to compile and generate firewall rules and .htaccess, for example: ipinfodb.com/

IPinfoDB is a monthly updated database of IP address ranges tied to different countries, here you can quickly see which country a particular IP belongs to, inside the service there are several built-in tools for generating firewall rules and .htaccess, with which you can block access to server by geography. If you need to quickly repel the influx of bots from China or from somewhere else, this is a very good helper.

, as well as drawing up rules, writing scripts forum.antichat.ru/thread128581.html , in general, to be honest, this section on the chat helped me: AntiDDos - AntiDDOS ...
to: lafayette > almost, but there is an option to hijack the network \ subnet itself bots, regarding the article, yes, up to 3 years, but I think you can add a few more, up to the blackout.
to: BasilioCat> I would like to listen, read, see presentations as well as let the theoretical implementation.
to: xsash>
1) if the site is ddosed to order, then it turns out that there are no negotiations with the site administrator, this method is possible only if there is an initial goal for which online work is important, if the order is not made, then no one will contact you.
2) I already wrote in a topic that is hidden that the maximum is searching and calculating up to 1-2 client machine from which the command was given and which is infected and is a Sox server, so in this case the best option is to hijack the botnet itself.
3-4, I think it can be combined, it turns out monitoring of underground sites where these services are offered, and where is the guarantee that this will not be posturing.
to: savostin > that's exactly what you imagine, since there are several classifications of attacks, so I would like to hear more than one answer, but protection from attacks, what is not clear to you in this combination?
to: prox > be sure to read this afternoon, thanks.
*think I'll sum it up in a couple of days*

It is almost impossible to trace the customer - this is the relative ease of use of this type of attack and explains their popularity ... Unless the customer "burns out" himself, which is unlikely.
And so article 273 of the Criminal Code of the Russian Federation threatens them at least.

On the topic of the law - the main 3 articles about access to computers ... and for severity they
solder extortion /
fraud
bot management (if it is calculated and taken under control)
3) leave contacts that can be associated with a living person (mail, icq, jabber), or which can be viewed by third parties
4) wag a lot of language

To begin with, it seems to me, we need to figure out what is required as a “protection against attack”?
It seems that everyone has their own vision of this issue ...

www.arbornetworks.com/en/peakflow-sp.html
clients: AT&T, Verizon…

Based on our many years of DDoS protection practice, we ( ddos-guard.net ) can give several relevant recommendations.
1) The reality is that protection at one point of presence (POP) is meaningless. Bots are practically not attacked now, the most popular technology is DNS amplification, attacks in which reach 130-150Gbps, but the average value of a spherical attack in a vacuum for this type of attack is about 30Gbps, which is much more than an ordinary webmaster / hoster can filter on their own.
2) But even if a webmaster/hoster wants to spend a dozen or two thousand dollars on a 30Gbps infrastructure, because 50Gbps may well arrive and this will nullify all efforts. The conclusion is to use specialized services that spend a lot of money on maintaining and developing their geo-distributed infrastructure.
3) For a hoster, the best solution is a secure IP transit, when its networks are advertised with a DDoS defender and already cleared traffic comes to it.
4) You never need to pay blackmailers who attack you - it's like bargaining with terrorists, giving them money you will pay more than once.
If you need advice on a specific case - please ask a question here or at [email protected], we will help.