First of all DDOS (Distributed Denial of Service) attacks are not created equal:
Flooding or Volumetric Attack
A flooding attack sends a large amount of traffic to a victim network to congest the network with traffic. With enough traffic (which today, is much easier through the use of botnets and other DDoS attack tools), the traffic crashes the victim network so legitimate users cannot access their accounts or make purchases online.
Amplification Attack
A different DDoS attack which “manipulates publicly-accessible domain name systems, making them flood a target with large quantities of UDP (user datagram protocol) packets.
Using various amplification techniques, perpetrators can “inflate” the size of these UDP packets, making the attack so potent as to bring down even the most robust Internet infrastructure.” Often the attacking packets are spoofed (or faked) in order to hide the origin of the attack, or to defeat potential firewall defenses.
Resource Depletion Attack
Similar to an amplification attack, a resource depletion attack floods the victim server with bogus information packets to seize up the server, so it cannot respond to legitimate requests for information.
Diversion or Ransom Attack
Lastly, in this attack vector, the attacker commences a DDoS act against victim server to distract the security team and incident responders while the attacker uses different methods to penetrate the network. One popular variant of this attack is to flood the victim’s servers constantly until they pay a ransom (normally in untraceable bitcoin).
Secondly, it is not really about securing the panel but about securing your web server. Not knowing what operating system and web server you are running my advice will be very generic:
1. Over-provisioning
Many DDoS attacks are brute force in nature, and over-provisioning is a brute force defense. Your opponent simply needs to throw enough traffic at you to overwhelm your capacity. You can reduce his chances of success and limit the impact on your users by provisioning for far more traffic than you would expect to receive during normal operation. You do not necessarily need to provision for a 40Gbps attack – not all attackers have botnet arsenals that large – but you should aim to prepare for traffic many multiples of what you experience in normal operations.
Some people, when designing their networks, have a tendency to provision for their highest anticipated level of genuine traffic. An IPTV site, for example, might provide enough capacity for peak usage (Champions League, NFL, PPV, etc). This will rarely be sufficient to fend off a good-sized DDoS attacks. A good rule of thumb when building out your infrastructure is to provision for ten times normal peak traffic. Work out the most amount of traffic you've ever had, multiply it by ten, and deploy sufficient hardware to cope with at least that level of activity.
Similar rules apply to bandwidth, so you must ensure that your contract is flexible enough to permit traffic coming into your systems to “burst” to many times the normal volume. You don't want your connectivity provider to shut down all traffic to your site in order to prevent collateral damage to its other customers. Work out the largest amount of bandwidth your site has ever consumed under normal circumstances, then check that your contracts would allow a sustained burst of ten times that amount. Keep in mind that handling that much traffic will take a hefty bite out of your wallet, too.
2. Remote/redundant monitoring
Many setups have systems in place to monitor the performance and availability of your service. But in-house monitoring systems can be limited if they're under a DDoS attack as well. If a system designed to alert you when the network experiences problems sits behind the same bottleneck as the site it is monitoring, the alert probably won't make it to your phone or in-box in a timely fashion.
When you're under attack, it helps to know that you are under attack – and quickly. A more reliable alternative is to subscribe to a third-party service that monitors your site around the clock from dozens of other places on the Internet, evaluating its responsiveness from a genuine end-user perspective and providing alerts to your phone when problems are found.
3. Dump the logs
Default web server logs can't tell the difference between a genuine visitor and a botnet node. Both visits will usually be recorded in the same way. Even if your server is provisioned correctly and is able to recover from a DDoS attack flood, if its logs stack up, you can often add insult to injury if your server fails because the logs became too large. While the log data could possibly be used for forensic purposes after the attack is over, its value is relatively limited. It's far more important that servers are able to respond to genuine users during the attack.
When under attack if log files are allowed to grow large you're faced with the choice between keeping the data and losing the server. Or losing the data and keeping the server. If your Web server is mission critical and large log files are preventing you from recovering, your choice should be clear: dump the logs.
4. Know the people at your providers
While it is technically possible to locally configure network hardware to drop some malicious packets, ideally you'll want the unwanted traffic throttled as close to the source as possible. This means that coordination with your upstream providers is a must.
Unfortunately, if your opponent has done his reconnaissance properly, he will launch his attack at the most inconvenient time possible. There's a good chance that the text message alerting you to an incoming DDoS will arrive at 1am on a Saturday morning, when both you and your regular ISP points of contact are off for the weekend. If you can't find anyone in a position to help you, you're then faced with the prospect of two or three days of compromised performance or outright downtime. In these circumstances it’s essential to have the direct telephone numbers of clued-in people at your providers network operations center. If you know how to contact the right person to help shut down the attack, regardless of the hour, you'll experience far fewer headaches when a DDoS strikes.