I don't think there's a 100% sure way to prevent / stop a DoS. There's tools to help fight them. A persistant hearder of zombies (zombies being infected computers used in DDoS) could attack you for a month or more straight, making services come to a halt.
You could filter out certain things but a creative / persistant attacker would just modify his attack.
You could modify an ASL to accept/reject certin ICMP messages based on physical address, logical address, protocol used, etc. That should stop MOST DoS and DDoS attacks.