DDoS attacks - why do they work?
So, 4chan is under a massive DDoS attack right now, causing it to be completely inaccessible. This doesn't exactly bother me as I rarely use it. But it does bring me to wonder: How can such an attack persist?

DDoS attacks are a result of many small internetted machines sending large amounts of data to the target until it crumbles. This data presumably gets routed through a number of routers: The breached computer's ISP, their upstream, large hubs, the victim's upstream, the victim's ISP and finally the victim.

Obviously when this sort of thing happens there's a block at the recieving end, presumably as far up as they can go to save the costs of recieving all the spam. My question is why can't the blocks happen at the sending end?

DDoS attacks must be readily recognisable with minimal inspection. It seems most routers nowadays use connection tracking and it's pretty unlikely anything can make a connection to the target under all this abuse, so one is led to suspect that all this data is sent via SYN or maybe RST packets over TCP, UDP spam or ICMP spam. The thing is, all of these things should be expected to be of a fairly low volume. UDP is used for DNS and gaming, which shouldn't be too high bandwidth, ICMP is used for basically nothing so can almost certainly be safely limited, and it's pretty rare for a machine to need to make more than 10 connections per second, so a burst of 100 and an average of 15 ought to sort that out.

Not only is it useful to stop the spammage, but it must also be useful to be able to mail customers with "we suspect you've been rooted" when traffic consistently breaches these limits, with cutoffs threatened after a week or so without adequate explanation.

So, like I say, why doesn't this happen? Is it just too hard to track the data? Am I wrong about connection tracking being common?