I actually disagree with the comment that DDoS attacks can't be stopped. What needs to happen is there needs to be another protocol speced out by the IETF that all routers would need to adhere to. And that protocol would check a signature file, or policy rule, and send a message to the gateway that is sending the offending packets, and that gateway in turn would act out the consequences for the policy, i.e. shutting off all communications from the offending host, or limiting it in such a way that it could no longer access the target until the attack was over. This, of course, would require an upgrade for the routers, cause they would need more processing power to check the packets fast enough to not make a giant slow down. This is sort of a distributed IDS tree, and doesn't necessarily have to be limited to DDoS attacks, this could also be implemented for all sorts of malicious traffic.

Just a thought...

Regards,
Wizeman

EDIT: Also, just to let everyone know, anything that sends some sort of throttle or quench request to the offending host can be ignored if the host happens to be using a non-compliant TCP/IP stack, or if it is modified in some other fashion to ignore the requests. This is why I believe the focal point for preventing attacks of any sort should be the nearest gateway to the offender, that is not under the offender's direct control.