There are so many Intrusion Detection Systems and systems that block IP Addresses with suspicous behavior. Everyone can use those systems, as many of them are free.
But why is it then still possible for people like anonymous to DDos a Server, if they should be blocked immediately by the system?
Are the DDos Programs used special programs?
Blocking attack traffic at the firewall will mitigate an attack designed to overwhelm server CPU or memory resources, but most high-profile attacks simply send a flood of data aiming to exhaust the target's network bandwidth. In this case the attacker doesn't care if you are blocking the data, because by the time your firewall can block it your network bandwidth has already been consumed.
For an analogy imagine if you owned a shop in a mall and a competitor sends a flood of fake shoppers to crowd your store, intending to prevent real shoppers from being able to enter. You can learn to recognize these fake shoppers and turn them away at the door, but it won't do any good because your store's entrance is still jam packed with fake shoppers. The problem would need to be dealt with upstream where there is more capacity, for instance at the mall's entrance.
There's a few different strategies employed when it comes to launching successful DDoS attacks. The goal of a DDoS attack is to target and exhaust a resource in order to disrupt a service, so it's essentially a battle of resources; resources to attack and resources to defend. A resource here is a very broad term, and different DDoS attacks will target different resources to different effects. Resources can range from hardware, to OS, or provider imposed limits. Some examples are Memory (RAM), CPU, Open File limits (active TCP connections), Network bandwidth and so on.
A company has a finite number of resources for defending against DDoS attacks and can therefore only defend against a finite amount of DDoS traffic. This comes in the form of how much budget they've allocated to protect their systems (DDoS mitigation appliances, IDS systems with a set number CPUs and RAM, or cloud scrubbing subscription levels). The imbalance comes where attacking resources are usually exponentially cheaper than the resources used to defend, typically because they're illegally obtained (malware spreading and infecting systems).
Because of this imbalance between the costs of attacking and defending, it becomes much easier to generate attack traffic beyond what the limitations of the resources defending against it can handle, even if they can do so fairly efficiently. This is why attackers are generally still successful. They generate enough attack traffic so that they'll hit a bottleneck of one or multiple of the defending resources. In most cases, for volumetric traffic, it will network bandwidth limits. If you have a network bandwidth, then CPU will likely be the bottleneck from processing millions of packets.
Another strategy attackers use is to specifically use resource intensive requests that look like normal traffic. The most common case of this is using HTTP requests. If you're running a web server then you're expecting HTTP traffic so you'll to do a deeper inspection of the traffic (known has Deep Packet Inspection or DPI) in order to determine whether it's legitimate or not. This is more expensive on the defensive side and therefore less resource intensive for the attacker. This makes it even more difficult to detect because these are not "loud" and doesn't necessarily look unusual to the receiver.
Just add extra facts to complement the answer.
Intrusion Detection Systems(IDS) is just a firewall build with extra programs that act upon incoming traffics, cache the counter and state of each incoming traffic to decide what to do next.
SYN-flood attack mitigation should be done by ISP . However, there is little a IDS can do to prevent degradation-of-service attacks. Since most web services run on a specific TCP/IP port, IDS has no way to evade such slow fix port "flood" attacks.
(Update) Thus, for B2B environment, it is recommended to use VPN. However, VPN solution is costly to maintain, i.e. you either need VPN server on client end or create a desktop VPN client. In addition, for a lucrative target, the DDoS paradigm shift from web services port to VPN server.
