I think it's a bit of snake oil.........

A DDoS attack is going to do one of two things, eat your bandwidth or clog your server.

In the case of eating the bandwidth there is nothing you can do short of getting ISP's along the way to block the zombies sending to your pipe thus this system would not assist since it is only dropping packets it believes are malicious after they have already blocked bandwidth.

In the second case it will function up to a point. That point would be determined by the number of zombies, the server capacity and the available bandwidth. There will come a point where an overwhelming number of zombies would still "win" since the first packet sent by each zombie, (assuming no IP spoofing is going on), _has_ to be determined as legitimate traffic. If IP spoofing is being done by the zombie then _every_ packet, (assuming the zombie randomizes as opposed to selecting netblocks and sequentially running through them), _has_ to be assumed to be legitimate.