While a firewall is very good at reducing vulnerability to hacks, it is not built to mitigate denial of service attacks. There are a few tweaks that can be done, which may or may not help. These are unlikely to help much though.
I think the only real way around them is asking upstream to drop the packets before they ever get to you. Your definition of asking might be a phone call or sending back a null route or something A firewall will only drop the packets once it sees them by which time they have used your bandwidth already.