Although I've never been a victim of one myself, I often wonder how one deals with a ddos attack. This article in particular suggests it might be worth knowing more about it.

Would blocking IP ranges help? Where does the bottleneck occur? Is it DNS or is it Apache or is it somewhere else?

A denial of service attack is basically asking a system for something so many times at once that it runs out of that thing and nobody can use the system. This can be anything from ping replies to DHCP requests to information from a database.
For a DOS attack from one source, yes, you can often just block IP addresses and for simple DDOS attacks IP ranges. However, in a true DDOS the attacking IPs having nothing in common, there is no way to prevent the attack and only having more resources than the attackers can request can beat the attack -- that happened here, for example:
http://www.theregister.co.uk/2013/03...ateral_damage/

Part of the problem with an attack of this nature is that attempting to filter and block the connections starts to consume a vast amount of resources. Typically intervention upstream, like at the ISP level is required in these types of situations.

Here are a couple of interesting articles regarding a recent and fairly high profile ddos situation involving Spamhaus, link one, link two.

Should also mention that, since DDOS traffic is made to look identical to normal traffic for whichever service is being attacked, there is no way to tell what is a DDOS attack and what is a genuine request -- so you have to block everything thus denying service anyhow.

This suggests that a good attack strategy is to generate the most resource-intensive requests possible. Conversely, a good defense would be to identify and drop as quickly as possible any spurious requests.

This is a grim thought. I had heard of the spamhaus attacks. I'll be reading that article.

I can definitely appreciate the need to get one's ISP involved. Still, I'm wondering if there might be clustered architectures that are better able to be reconfigured to deal with such an attack. I'm imagining that a single dedicated server is more vulnerable than a virtually allocated cluster, but this is not based on any vast amount of knowledge. Is there some kind of resilient architecture one can generally adopt that is more defensible?

Thanks for those links. Will be reading them.

OK that's depressing. I'm imagining that DDOS is kind of an art form and that some are better than others at generating more random-looking requests that resist filtering. I'm further imagining that someone has already written a nearly perfect, state-of-the-art DDOS tool and it's probably been open sourced somewhere.

There are plenty of DOS and DDOS tools out there already.
There isn't really anything clever about it though. You just infect a load of zombie machines, or buy some off a website somewhere, then tell them all to (for example) do a DNS lookup on the target or request a web page. How will the target know whether it's a legitimate request or an attack?

This is precisely the sort of thing I'd like to know more about. I can imagine a sloppy attack might request the same web page over and over and over again and never once download any javascript or images, for example. Or a single IP requesting DNS lookup over and over again -- that sounds really suspect as the remote machine would be totally ignoring any of the TTL values.

I think the answer is a maybe and it would depend upon what is the weakest link. The DDOS attack hits you in two ways: processing resources and network bandwidth. If your limiting factor is processing capability, a cluster with load sharing, or even a front end proxy would buy you a great deal. If you limited by the network capacity, the only thing you could do is filter up stream.

I think the more distributed the attack, the more difficult to counter it is.

I'm wondering if there could be a way, at server level, to limit, during a time period, successive identical requests from one IP address without hampering legitimate inbound traffic.

There is, far as I know, on most servers. That's why a lot of machines need to be used. I can't pretend to understand this fully but it's an explanation of how hosts are recruited to DDOS:
http://www.theregister.co.uk/2013/03..._the_internet/

Having been enormously frustrated by running BIND in the past, I now typically rely on DNS services like Amazon Route 53. Hopefully Amazon would know how to deal with such an attack?

Might it be possible to exhaust the available ports on a web server? If I'm not mistaken, you may connect to a web server on port 80, but the server will then delegate the work of file transfer to some other port -- and port numbers, being described with a 16-bit int, are only about 65,000 in number. Seems to me that any botnet with a size that is some multiple of 2^16 would be able to shut down even an extraordinarily powerful system simply by occupying all 2^16 ports. Please correct me if I understand this incorrectly.

Without a doubt.

I think iptables would be useful in this regard. Like this example. I'm no master of iptables commands, but I've been extremely pleased with the protections offered by fail2ban.