The nature of a denial of service attack is hard to mitigate. It’s not necessarily a “hack” as in a vulnerability or exploit. It typically involves some form of flooding connections with requests to the point where to server is out of processing power, disk read/writes, and/or bandwidth. It’s hard to filter the spam requests because requests solicit the server the same as user requests and requires accepting and reading the request to determine if it’s spam or not. It’s more of a “who has more resources” than “who has better security” problem.
Correct. And the serious players take away all the easy mitigations like tossing packets up front from a few source ip addresses or macs by randomizing those.