In general, though, the best way to mitigate against DDoS attacks is to simply have the capacity to withstand large amounts of inbound traffic. Depending on your situation, that might mean beefing up your own network, or making use of a content delivery network (CDN), a service designed to accommodate huge amounts of traffic. Your network service provider might have their own mitigation services you can make use of.

Is DDoS illegal?

Yes, DDoS is illegal. Most anti-cybercrime laws, in the U.S., the U.K., and elsewhere, are fairly broadly drawn and criminalize any act that impairs the operation of a computer or online service, rather than specifying particular techniques. And the act of hacking into a computer to make it part of a botnet is itself illegal. 

You might see a counterargument that goes something like this: it’s not illegal to send web traffic or requests over the internet to a server, and so therefore DDoS attacks, which are just aggregating an overwhelming amount of web traffic, cannot be deemed a crime. This is a fundamental misunderstanding of the law, however.