Hmm. How do you set "flood protection" thresholds when your Internet service is faster than anybody else could possibly flood you, and yet most of your LAN devices would die if they actually had to handle that many packets?
Or in the outgoing direction, what's the difference between a "flood" of outgoing packets vs. "just sending stuff at full speed?" (About 970 megabits/sec, some would say :))
This all feeds into the larger question of what happens when someone figures out how to use a super fast ISP as a DDOS source. They have so much legitimate upstream bandwidth that it's hard to tell what constitutes an attack. Ironically, since everyone else is so slow, if you're using anywhere close to a gigabit of uplink, it probably is an attack. But enforcing that as a rule would be kind of ridiculous.
ssh+2FA to all your machines, anywhere, without opening firewall ports.