Before anyone says, cloudflare, no, just no. Not really looking to pay for another service either.
We do not offer denial of service mitigation services.
Well that sucks.
As previously mentioned, I have no DDOS issue. But with OVH they offer it as part of their service. So it is nice to know that if I ever did run into a problem; I would have something to help.
Thank you for answering my question.
Sometimes preventative cures can cause more problems than they solve.
It is true that sometimes DoS mitigation on the router can sometimes be better, running DoS mitigation on your host firewall gives you a faster ability to modify things if false positives are causing a problem for legitimate users.
Instead of a null route, would it be possible to rate limit incoming packets for a machine undergoing DDoS?
Another step, where QoS is in place, would be to mark packets to/from the victim as "space available" - as far up the line as possible.