You can break down DDoS into roughly three categories:
1. Volumetric (brute force)
2. Application (targeting specific app endpoints)
3. Protocol (exploiting protocol vulnerabilities)
DDoS mitigation providers concentrate on 1 & 3.
The basic idea is: attempt to characterize the malicious traffic if you can, and or divert all traffic for the target. Send the diverted traffic to a regional "scrubbing center"; dirty traffic in, clean traffic out.
The scrubbing centers buy or build mitigation boxes that take large volumes of traffic in and then do heuristic checks (liveness of sender, protocol anomalies, special queueing) before passing it to the target. There's some in-line layer 7 filtering happening, and there's continuous source characterization happening to basic network layer filters back towards ingress.
You can do pretty simple statistical anomaly models and get pretty far with attacker source classification, and to track targets and be selective about what things need to be diverted.
A lot of major volumetric attacks are, at the network layer, pretty unsophisticated; they're things like memcached or NTP floods. When you're special-casing traffic to a particular target through a scrubbing center, it's pretty easy to strip that kind of stuff off.
Where these heuristics done in hardware then? ASICs FPGAs? Could you elaborate what the "liveness of sender" and "special queueing" heuristics are?
 - https://en.wikipedia.org/wiki/Slowloris_(computer_security)
"Select Thunder TPS models have high-performance FPGA-based Flexible Traffic Acceleration (FTA) technology to detect and mitigate up to 60 common attack vectors immediately in hardware — before data CPUs are involved. "
I was curious about this statement. Can you elaborate, weird how?
The Tile GX (including the hardware) was available for general-purpose use from Linux (which we ran), but could also be programmed directly to do lots of packet classification even before the packets got to the CPU and main memory (which we did). The Cavium network processor worked similarly.
It's definitely not the case that all DDoS attacks can be reliably cleaned up in an ISP scrubbing center.