the only way to block this traffic effectively is by asking your upstream peers to blackhole the traffic. dropping this with a firewall or other device is nearly impossible because of the high load.
remote triggered blackholing is done by BGP. which between peers only allows a /24 in terms of the smallest announcable prefix.
blocking every /24 from which an IP in a ddos originates kills most if not all of your reachability.
Wouldn’t some device still need to blackhole the stuff though?
I’d still argue that blackholing /24 blocks and retaining some reachability is preferable to losing all of it.
Now I’m kind of curious how fast you can make hardware drop stuff, but even inside my local PC I probably cannot reach 250Gbps of data flow (Hmm, 20 Gbps for DDR4, guess not).
You might end up blocking a few million, but your network remains uncongested.