Why can't DDoS attacks be prevented?

 

 

 DDOS is a distributed attack carried out from many sources simultaneously, so there's not just one or two ip addresses to block. The attack may exploit a vulnerability in a third party's service, e.g. NTP or DNS, so you are actually seeing packets from legitimate sites like businesses or universities which cannot be closed down, though there are ongoing projects to locate and advise these sites of the problem (e.g. UDP amplification vulnerability) and get them to patch their service.

A large DDOS attack may overwhelm your upstream provider, so there is little you can do on your own server, except to outsource it to a high-bandwidth geographically diverse cloud service like Cloudflare.

If everyone implemented good egress filtering, that would make it more difficult for attackers to spoof a victims address, but sometimes it's hard and it's work that benefits someone you've never heard of.

I mean, if I have address 1.2.3.4 and you have 5.6.7.8, I can send a packet with your address 5.6.7.8 as the source to xyz.com and say "tell me all about X". So xyz.com sends a bunch of data to you that you didn't ask for. If I do that to abc.com, def.com etc. all asking them to send data to 5.6.7.8, that's a DDOS. But if my ISP has a filter that says "hey, you can't have a source address start with 5. You're inside our network and your address has to start with 1" and discards my packets, that would mean I could only attack victims on my own network.

There are also human-moderated attacks that are harder to block. If a lot of people sign up for some political cause, and a leader says "everyone send email to X", that's a DDOS on X's mailbox. If the leader says "everyone go to this web page, download this software and run it to attack X's website", that's a crowdsourced DDOS that's very hard to block, coming from thousands of different legitimate ISPs around the world.