The issue can be more to do with the substantial lack of outbound bandwidth compared to inbound, on most broadband connections. So if you are sent enough spurious packets downstream, which illicit a response by the router upstream (eg. a standard TCP SYN in, RST out connection request will do this), then, very rapidly, your connection is rendered unusable, not necessarily because the downstream is saturated, but because the upstream is saturated with your router trying to reply to all the requests.
Many years ago, I had a friend on Telewest (cable) who was being DDoS'd by some nasty script kiddie on IRC. He would just ping-timeout from the chat channel within minutes as soon as this guy started up with his bot-network. I developed some rules for Linux which I still use to this very day, which restrict the number of packets that Linux will reply to when faced with such an attack and I got him to place them on his Linux router to see how he got on. When it next happened, he managed to stay connected for at least 10-15 minutes longer during the attack, until the inbound data rate probably began to exceed his download rate instead. When that happens, it is game over for sure. It was nice watching though how these simple rules proved their effectiveness.
I still use them today on my own Linux router. They are very effective, and simple. Basically, the machine rate limits the number of TCP RST packets it sends, within 1 minute. So on the first few packets, I am nice and let the router reply with TCP RST packets (indicating the port is closed). But after 5 or so instances of that, it then just stops replying. Upsets NMAP no end, because the machine just plays mostly dead on all ports until the scan/attack is stopped, at which point it returns back to normal. I've applied the same rules onto the IPv6 stack also.
Edited by mixt (Sun 25-Mar-12 18:11:55)