I don't see why not, but it would have to be baked into the client/server connect model. Basically they would have to act as a bouncer and only allow connections to the server after being authenticated before hand. If they detect a DDoS incoming then they just need to ask each legit client for a proof of work, this makes it so no amplification attack would work.