[js1138]

Cheap firewalls can detect DOS attacks and make rules on te spot. It seems to me that the internet infrastructure, with all the wizards at its disposal, could analyze an organized attack within half an hour or so and shut it down.

If it's driven by zombies, those computers should be cut off by the IP until they are disinfected. It would seem to me that IPs could detect zombified computers.

[FunkyZero]

It is dependent on many variables, unfortunately.
distributed attacks cannot be defeated, only your service provider can null route all the traffic destined for the target address, and this action makes your server(s) unavailable for anyone to access. If you have multiple servers running on different addresses on the same circuit, this can at least save those devices. Unfortunate as it is, this is the way it works. In a distributed attack, thousands of infected machines can attack a target simultaneously, and a good part of these machines are in other countries that could really care less. Even if they did, mopping up the mess can take weeks... there are just too many of them.

And sure, a cheap firewall can "block" incoming packets from entering your inside network, but it cannot stop the incoming traffic to it's own external interface, therefor, your line is "soaked", leaving no room for legitimate traffic, ie: 'Denial of Service". Cutting off entire source streams is not an option because you have many paying customers that would also go offline due to your actions, and they don't appreciate that at all. This would only multiply the damage caused by the attacker(s) and this is what he wants.
There is absolutely nothing you can do to stop it except wait for the attacker to get bored and quit.
If the source of the attack is limited to one or just a few dozen source addresses, then yes, an ISP(s) can halt the attack fairly easily.