Source ip addresses can be spoofed. And because of IPv6 it is not enough to keep a look-up table of ip addresses that are excluded from visiting a website, because with ipv6 there are now enough ip addresses for a single sender to spoof to send quintillions of probing requests at a webserver.
Given this, what are newer methods of mitigating rotating IP forwarded DDOS probes of a web server?
Is the only solution to white list individual registered user's ip addresses and also to ____ ?
If you are worried about the amount of IPv6 addresses you can treat whole blocks of /64 or /62 the same way as you treat one IPv4 address. If you are receiving a lot of traffic from different addresses in the same /64 net you can block the whole net for a while to prevent attacks.
You can also use a service like Cloudflare to put in front of your own service to mitigate DDOS attacks. This way Cloudflare will be the public IP addresses of your website, while your own server's IP address can be hidden and can configured to only accept connections from Cloudflare and block all other requests. Cloudflare will mitigate DDOS attacks and can also cache parts (or all) of your website in local CDNs all over the world and provide other techniques to improve the speed of your site as well.
