[catlike]

One of the most effective answers is not "buy a stinkin' Cisco firewall" but rather "buy a stinkin' Arbor"

http://www.arbornetworks.com/

If you want to survive large scale DDOS you need equipment that can scrub the incoming unvalidated data in real-time and keep up.

Combining Source Based Remotely Triggered Black Holing (RTBH) with uRPF affords you the ability in a sophisticated network to drop a large amount of undesired traffic (especially if it's from simpler DDOS strategies). If you do in fact have the $$/need for the Arbor then inside of black-holing the traffic you send it to the Arbor and let it scrub the packets.

[tptacek]

I was the lead developer on Arbor Peakflow DoS (not the traffic scrubber they acquired from Ellacoya; the NetFlow analysis engine) and then a product manager at Arbor. This is fine advice if you're an Internet service provider (except that virtually every ISP has already taken that advice). But if you're buying connectivity, the Arbor box isn't going to do you any good; your links are going to be saturated before the scrubber can do anything about it.