Are there any must-have DoS / DDoS mitigation strategies one should always build into a server?
Regardless of TCP or UDP, it feels like there is very little one could do against a DDoS which tries to saturate the network.
Even if the attacker can't do that, simply sending login packets with spoofed IP addresses/ports could be a problem. For something like SSL, it's possible to hit the CPU hard by initiating a handshake. CPU exhaustion attacks can be mitigated by puzzle challenge-style logins, but it should be fairly easy to block login by making sure that the all login "slots" are in use.
(I know some websites that use CloudFlare, but that's for serving http/https content and so isn't an option)
Any opinions of what a reasonable line of defence is?