DDOS protection system should work by analyzing packages in real time via something like pf_ring or dpdk (turning traffic to dpdk via vrf or port mirror).
System should anlyze packages an by various rules generate bgp flowspecs rules to stop these attacks on core router or upstreams.
Also dpdk can work with forwarding all traffic to it so may be if attack cant be stopped via inspecting traffic and bgp flowspec rules it can drop it on curent system.
Base can be taken from there: [login to view URL]
Who will take this job must know networking, how attacks works, OSI, c/c++, firewalling bassis, understand how to stop attacks by analyzing packages snifing and so on