Again, the rule is "dont accept packets from an interface if there's no route for their source addresses pointing back to the same interface". Note that that route does not have to be the best one -- just that the router gets it from somewhere.
Without discussing it with the right folks here ahead of time, I suspect we could do this at good speed in some, but not all routers, in our product line. The solution I have in mind would not be suitable for some places in the net. We'd put the extra checks in the slow path which Curtis hates so much, and then use our 'flow-switching' cache, which is keyed by src/dest adresses & ports. So packets which fail the source address scrutiny in the slow path aren't put in the flow-switching cache. I can't recall if we cache negatives there, but in any event apparently the attacks involve SYN flows on the order of 100's of PPS, which might go through the slow path OK. BTW, I believe the criterion Vadim suggest is similar to that used in RPF Multicast flooding. Now the big question: is this useful in routers carrying a default route? -- Jim