I'm going to copy and paste something my friend wrote about it (his wife does this kinda stuff for a living) since I think he can explain it better than I can:

Methods differ from place to place, and I don't know of any provider that will tell you how their automatic mitigation systems work (for pretty obvious reasons). As far as I know though, PhoenixNAP (our host) has specific DDoS mitigation hardware in place in at least one level of their infrastructure, and all routers also have their own mitigation rules. They detect sudden large bursts in traffic, analyze it against various rules to see if it's suspicious (ex: 200 new connections all spamming similar abnormal requests), and then drop the packets if they are. The alerts in the picture are all automatic and just serve as a notice to us.

PNAP in particular has DDoS protection at four different levels.

1) Their ISPs (multiple 10 Gbit networks, such as Cogent, Level 3, Inteliquent, etc.). I imagine the rules at the ISP level are less strict, but stop most common attacks before they even hit the datacenter. They only utilize each ISP to 50% of their capacity, so if an attack is actually getting through, they can handle an extra ~5Gbit of traffic per ISP without anyone feeling a thing.

2) The edge routers. These are where all connections to the datacenter come in. The rules at this level can be set by PNAP staff, and can be slightly more strict than the ISP rules. The rules are a closely guarded secret, and anything from this level and beyond at the datacenters require an armed guard escort , access cards, and retinal scans.

3) Aggregate policers. These are rules that are set to each protocol, such as burst limits, bandwidth, priority, etc. At this point, the amount of traffic alone can trigger a mitigation. Ex: Our server typically sees 20-60mbit of consistent traffic. If multiple people are downloading maps it could get as high as 200-300mbit (for /very/ brief periods). But most the attacks result in 1-4gbit's of traffic, making them clearly outliers and easy to filter out. Think of this level as the "trend watching" layer.

4) Top of rack. Every server rack has its own mitigation in place as well. I imagine these rules can be quite a bit more strict since fewer servers at a time can be affected by their rules. I honestly have no idea what goes on at this level though.

And on top of all that, we have our own custom firewall rules (literally pages of them made by hand for our specific needs). If the traffic isn't so high or suspicious that it is actually getting routed to our server, for the most part our rules will either rate limit, or completely block traffic by IP based off suspicious activity. At one point we had someone open a support ticket from a proxy asking why he couldn't access our website directly after port scanning us. That's an example of one of our custom rules working its magic and automatically blocking suspicious activity.