问防御DDOS攻击的最佳方法是什么？

EN

1. to make your service unavailable
2. to demand money for protection from the perps themselves (maffia technique)

1. make sure to be "mobile": Be ready to swiftly change where your service is located (e.g.: make sure to use relative small caching times (time to live) for DNS names, so you can quickly and nimbly switch servers for genuine users each time side-stepping the ongoing attack)
2. have fallback servers ready: if you need to sidestep an attack, it really helps to have servers idling that can take over the real users at any time. CDNs can help here too, but make sure they won't abandon you or charge you excessive amount if you're under attack. This might well mean you want to replicate e.g. (crucial) (parts of) your databases on an ongoing basis as to make sure the alternate servers have the data they need.
3. explore contracts up front: if you need to negotiate, your downtime will be longer. The important parts are to mitigate your costs while under attack for e.g. incoming bandwidth that you cannot control. Similarly that they won't drop you as a customer because you're under attack. For your alternate servers, you might want to minimise costs while not under attack. Etc.
4. prioritise: What services do you really need while under attack ? Have smaller, lighter versions of your service ready to react on overload. For added bonus: make your services aware of "current" load and overload conditions and adapt the service accordingly automatically.
5. low impact services: the less impact a visitor has on your server resources, the harder it is to take you out (or the les effect there is). e.g. Make sure the costly services are for authenticated users only, not for public consumption. (that way you can lock out abusive users more easily)
6. Have communication plans made up: determine what is going to be communicated by whom (to whom) over what medium up front. Don't worry too much about info you give to your attacker: they know already if they're a tiny bit smart. You need to inform your regular customers/users and gain a bit of PR back for a diminished service/quality you're able to provide under the difficult circumstances.  
7. Make sure every decision maker agrees to have a policy to NEVER EVER pay for the attack to stop, as it will only come back worse. If you're a likely target, make this policy public.