Currently Jetty has DOSFilter which appears to be providing protection against DOS attack i.e. it keeps track of number of requests from a connection. In DDOS attack, we expect attack could be from millions of ip addresses and in that case DOSFilter won't do the job. Any other strategy you could apply here so that Jetty could survive ?
Dealing with millions of IP addresses ...
This would need to be solution before the connection is accepted. some kind of OS or network hardware solution.
Jetty, being a server, has to accept the connection in order to do anything with it.
You could probably use the Jetty request log and a custom fail2ban setup to ban IP addresses at the OS level based on some kind of criteria in the access log. (too many requests on a connection over X amount of time, triggering an IP specific DOSFilter action, ban that IP at the OS level for Y amount of time)