Originally posted here by j3r
Of course, the problem with "just firewall them" is that sometimes, you'll be blocking an address that is actually owned by someone you want to talk to. Just be careful, is all.
Not if you configure your firewall correctly.

An access-list or firewall policy should be configured to expect certain IP addresses from certain interfaces. For example, if your firewall gets a packet from it's external (Internet facing) interface with a source IP address of 10.x.x.x, then you can guarantee it is a spoofed packet and it should be dropped.

the type of spoofing you truly cannot prevent however is the type where the source IP address is changed for anonymity purposes, such as packets being generated from a packet generator such as hping or my personal favorite, rain.

While a do agree with MsMittens that the original IP address can be found from a sniffer trace in some cases, this a rarely the case with a "good" packet generator. Which is why I would agree more with SirDice's comments that there really is no good way to do it.