Mike,
There are a few things to understand about Dos attacks before getting into the solution - the most important is that no matter what you have in line there will always be an attack that you can't handle.
The answer to the question is based on what you want to do with the DOS attack. If you're willing to just filter the attack (provided it's something that doesn't saturate your pipes) then there are a few multipurpose devices out there that will do just this sort of thing. There's a product from fortinet (
www.fortinet.com), some big iron from foundry networks (
www.foundrynetworks.com), and riverhead (
www.riverhead.com).
If you want to actually try to stop the attack or get right in the middle of it and defend your network you can build something from the products that I've listed above.
When deciding you should consider how big your pipes are, how many sessions you're prepared to deal with, and at what point you're going to consider submitting a null route to your upstreams.
There are software-only solutions out there but the problem with them is that for a serious network the applications aren't going to be able to do ddos detection on full-stream data.