I was thinking that a proof of work system for establishing a TCP connection might solve the issue of a DDOS. Low and behold, I found this:
http://web.cecs.pdx.edu/~edkaiser/Papers/GlobalInternet08_paper.pdfHaven't read the paper yet. Looks to be like something designed to work on today's internet, but I wonder if a robust solution wouldn't ultimately need to employ routers (such that routers are able to kill traffic close to the source that is trying to establish a connection to a destination, but the required difficulty is not satisfied). Routers wouldn't necessarily need to retain difficulty requirements for all destinations, but a destination that is getting a large amount of connection attempts that don't meet the difficulty requirement could cry out for help from the routers. Routers would just check connection attempts for a list of "hot" destinations.