Hi,
Agreed, what Ive done in the past to get around that issue is to setup a span port on our edge so it takes a packet and mirrors it to another server, say nic1. You run a script on that server that does all the number crunching, based on what it sees, you can have your script modify routing on the edge router, inject iptables rules into your server or any gw devices above the server. You can then not only provide a layer3-4 protection (while taking away the immediate threat away) but now can allow the attack to go on for say 1-5 min, monitor the uri and log files and create a behavior for the traffic which then you can block dirty and allow good traffic back in.
having a feedback loop system allows you to get rid of any false positives. If say a good ip is somehow redirected to localhost:81 (where there is a valid link with captcha saying "if you are in fact a GOOD user, answer the question and click [go]". Then have that action inject a cookie into the session which then gets matched at the edge and passes down to the proper segment.
there are dozens of ways to mitigate the issue, just depends on how you want to go about it. Ive worked on designing advance ddos mitigation networks/software and server based appliances.
Having said this, i do think that nginx requires a native ddos mitigation module, it would save a lot of time and effort in the long run! =)