Darren Hobbes points out egress filtering as a way to combat DDOS (in reply to my Seven Things Wrong With the Internet)

Egress filtering is a simple idea. When a packet crosses over between your network and another, check its source to make sure it says that it comes from inside your network. If it says it comes from anywhere else, it's forged and you should drop it on the floor. (There's also ingress filtering, where you do the reverse to protect yourself from packets that come from outside, but are attempting to imitate your own servers)

Egress filtering is a good idea, and every router should implement it as a matter of course. Sadly, a lot of them don't, and it's one of those things where even if you have egress filtering working fine across your border, you're not safe unless everyone else is doing it too. And sadly even though it's been a security best-practice for years, a lot of people don't put it in just for this reason—there's no immediate benefit to your network to have it in place, so it's not thought of.

A lawsuit or two from victims of spoofed attacks would fix this, but can you imagine trying to prove in court where spoofed IP packets came from?

On top of this, most DDOS attacks these days don't bother with spoofing, which makes egress filtering ineffective as a defense. Hell, most of them come from trojanned Windows 9x boxes that are incapable of packet spoofing. They just work because there's an infinite number of monkeys with typewriters out there, willing to install the latest trojan floodbot.