There "is" such a way, see RFC 5575, but it seems to be little known/implemented/deployed/enabled/something.
5575 is a BGP extension that says "for packets from x to y, do z". Assuming a router knows on which if its input ports such packets arrive (and during a DDoS it doesn't have to wait long for the next packet), it can disseminate the flow specification towards the actual source(s) quickly, so the packets can be dropped quite far from the DDoS target, in the ideal case as soon as it reaches an honest ISP.
Egress filtering should kill much of the spoofed-origin traffic and this much of the rest — if deployed.
I'd love to know why 5575 isn't deployed. Memory concerns maybe?
5575 is a BGP extension that says "for packets from x to y, do z". Assuming a router knows on which if its input ports such packets arrive (and during a DDoS it doesn't have to wait long for the next packet), it can disseminate the flow specification towards the actual source(s) quickly, so the packets can be dropped quite far from the DDoS target, in the ideal case as soon as it reaches an honest ISP.
Egress filtering should kill much of the spoofed-origin traffic and this much of the rest — if deployed.
I'd love to know why 5575 isn't deployed. Memory concerns maybe?