This is not a question asking how to stop an attack. This is simply a thread for anyone and everyone to discuss ideas for preventing, dealing with, and keeping your server alive during these attacks.
Do not discuss using 3rd party software, this is a place to make your own ideas and read others.
Post examples if you'd like.
Post ideas how to filter out flood attacks.
Post ideas how to keep your server alive while being under a heavy DDoS attack.
Best Answer
During a DDOS SYN attack, I moved my site to a 2nd IP and had my ISP block the original IP at their level. While this did create a bit of downtime as a result of DNS propagation, it did relieve the load and get me back online. Blocking the original IP at the ISP level kept the DDOS from reaching my servers. A secondary DDOS attack was then launched made up of legit connections, but lots of them. I ended up patching my Linux firewall's iptables to use ipset for better performance as I blocked the thousands of IPs.
After the attack I tested various firewalls (sorry, no Cisco). PF with it's synproxy flag from the BSD family gave the best results. Unlike most firewalls that just kicked in rate limiting during an attack, pf with it's synproxy stopped a lot of the connections at the firewall. Also, pf's tables have great look up performance and are dynamically updatable. No reload required. pf also has a lot of options for tuning performance and scrubbing incoming packets/connections.
netfilter with ipset gave good performance, but no synproxy.
Another possibility is to use cloud based hosting, allowing you to keep throwing more bandwidth and hardware at the attack so your clients don't feel the attack.
The only way to truly prevent a DDOS is to keep your server(s) off the internet. But then you have to explain to management why no one can see your company's website. :-)