one way to mitigate DDoS is to enforce source IP checks on the way OUT of a datacenter (egress).

sure there are botnets, infected devices, etc that would conform to this but where does the sheer power of a big ddos attack come from? including those who sell it as a service. they have to have some infrastructure in some datacenter right?

make a law that forces every edge router of a datacenter to check for source IP and you would eliminate a very big portion of DDoS as we know it.

until then, the only real and effective method of mitigating a DDoS attack is with even more bandwidth. you are basically a black hole to the attack, which cloudflare basically is.