Yep. Add the source address (or some more specific yet easily computed identifier) to a table that is checked early in the network path (in hardware if possible).
Or, if you want to be fancy, "tarpit" them (complete TCP handshake and then ignore, forcing attacker to actually commit resources), but apparently that's of questionable value these days. [1]
Or by banning the source, especially repeat offenders.
I find that using a combination of nginx's limit_req and fail2ban over nginx logs is an easy measure that already goes a long way in handling basic types of DoS, like clients producing an abnormally high volume of requests.
Or, if you want to be fancy, "tarpit" them (complete TCP handshake and then ignore, forcing attacker to actually commit resources), but apparently that's of questionable value these days. [1]
[1] https://en.wikipedia.org/wiki/Tarpit_(networking)