DDoS Prevention for a Transit Provider

I'm looking to pick the brain of any Engineers out there who have deployed a DDoS Prevention strategy for an MSO that also runs their own transport network. Recently, we have been seeing increasingly large spikes of traffic traversing our core. We have determined the destination to be arbitrary, but often it is some host (A Customer CPE) south of one of our CMTS's. While we enforce ingress and egress rate limits facing the customers, the core facing network is pretty wide open, allowing the BGP mesh to steer traffic as needed.

Initially, we've been trying to do root analysis of the traffic makeup via JFLOW data to see if simple ACL's might be a temporary stop gap, but I also want to explore a more elegant, long term solution.

The introduction of IPS's feels cost prohibitive, especially since they would need to performing control at the core, as we provide wholesale transport services on top of our enterprise services and that makes for a huge amount of homogenized traffic to be inspected.

Generally, the core can weather these spikes. Instead, it's the edge end corresponding L3 to L2 Trunks that becomes saturated.

Any thoughts or comments would be greatly appreciated. Thanks.

JJ Stonebraker
IP Network Engineering
Grande Communications