I've been behind a large often-targeted service for the last 10 years or so, and most of the large attacks we get are pretty easily filtered as our service is TCP (like CloudFlare), and most of the attacks we get are either ping or UDP floods, which we drop at the boundary.
a little harder is the SYN flood with spoofed addresses, how on earth can you filter those?
Aren't SYN-cookies [0] the traditional defence against SYN floods? The proxy, or a device in front of it, could take care of that. Only connections that complete the 3 way handshake would take up any room in the connection table.
I don't understand. Why is it simple to filter UDP but not simple to filter based on a cookie? Is the validation cpu-expensive in bulk? Do you not have the capability to filter that way at the boundary?
a little harder is the SYN flood with spoofed addresses, how on earth can you filter those?