[theojulienne]

Since SYN packets only contain a limited set of information, if the SYN packets have spoofed source addresses then it is very difficult for a device in the destination network to filter/mitigate a SYN flood, since they look like legitimate SYN packets from many different clients. That said, if it's a non-spoofed attack, then you can definitely filter them at the edge. For spoofed attacks, if you filter from multiple global POPs (as do many DDoS scrubbing services), you may be able to guess that a packet is arriving at an inappropriate POP given the source address, but even that will only let you filter a certain amount of the traffic. Because of that, you still need some level of protection at the destination server.