I just published an article on DOS and DDOS in PenTest Magazine, here is a small part of the mitigation I discussed in the artice (another part of the article can be found on www.ihackforfun.eu without cost). The text makes nore sense if you read the complete article since I did not only cover website/webserver DOS and DDOS attacks but also network equipment and real world DOS attacks ...
It is very hard to defend a web service or web application
against every possible DOS attack. It is however possible
to mitigate a large number of attacks. Most of the
mitigation will be happening on the network equipment.
Some of the techniques used are traffic shaping (e.g.
there is a limited amount of bandwidth for each specific
IP address), request analysis (e.g. drop requests that are
malformed), blacklisting/whitelisting (i.e. banning IP addresses
that show clear evil intent or only allow IP addresses
from known good parties) etc. For websites it is
possible to separate static content from other content by
using CDN (content delivery networks), this will prevent
the picture loading attack from bringing down your web
application, the only visible effect will be that for legitimate
users the picture will not show but the rest of your
web application will work as expected. Some of these
mitigations are harmful in themselves, for example blacklisting
of evil IP addresses will stop the attack from a botnet
but will also prevent every computer in the botnet to
reach your website and could be preventing customers
to reach your web shop. Many of these mitigations fail to
point to the real attacker. Mitigation of DOS attacks might
require a significant investment that might be too high for
small to medium sized companies. These investments
include extra load balancers and higher bandwidth connections.
For large companies there is even a service
from Arbor Networks that will help in mitigating DOS attacks.
For those attacks where servers that are not configured
correctly are used, you can contact the server administrator
and hope he corrects the settings. This will of
course only help after the attack happened but it will prevent
that server from being used in subsequent attacks.