There should be a way to block inbound external spoofed ip's and port scans thereby eliminating the DDoS possibility. I run a WatchGuard Firebox II which I believe uses iptables for firewalling and I can block inbound external connections from spoofed IP's and scans. I even have the ability to block the offender for a specific ammount of time. How to do this with iptables is beyond my knowledge but I imagine it should be possible.