We run a fairly large game server hosting company with about 60 machines running Server 2008, and DDoS attacks something we have been dealing with for a long time. Unfortunately, due to the prices of the market, there is no way that us or any other company could feasibly put hardware firewalls in all of our datacenters.
Our course of action has always been to just contact the datacenter, and they null route the IP address/Port for 24 hours. This of course is a very unappealing way of dealing with the issue, especially for our clients.
From what I understand, a software Firewall will only complicate the issues of a DDoS attack. I have read some about hardening the TCP/IP stack, but it sounds like there isn't much that can be done from Server 2008 to help with this.
Is there anything we can do?
Yes, yes there is. Please re-evaluate your economics (How much does a firewall cost? How much do you lose per hour when you're down because of a DDoS? How much damage will be done to your reputation when someone finds an accidentally-open RDP port and breaks into some critical box on your network?).
You should be able to afford (redundant) dedicated firewalls at each datacenter - Firewalls are NOT expensive.
Proper tuning of your firewall (traffic throttling, shaping, etc.) will help mitigate DDoS attacks. At the very least it will offer some protection for your systems against simple worms or curious hackers poking around for remote logins.
In terms of DoS mitigation you can always go one step up the ladder: your ISP can null-route non-distributed attacks (as you've already mentioned, this is your current process - it's a good one) or rate-limit distributed ones (though expect this to get expensive if you're under attack frequently -- they'll eventually charge for those firewall changes).
Further up the ladder you can consider services like those offered by Arbor Networks for DDoS protection/mitigation, though these are typically targeted at the ISP/Service Provider level rather than individual companies. The prices for these solutions tend to be rather extortionate.
If you can afford sixty servers, with sixty licenses of Server 2008, and the payroll costs for sysadmins to support and developers to code enough games that need sixty servers to run, then you can afford dedicated firewalls.
Also, take it as truth that (almost) all other companies "feasibly put hardware firewalls in all of [their] datacenters."
As far as DDoS protection; If it's just a flood to fill your bandwidth, nothing on your side of your link is going to help that. If it's a server-resource attack, then a firewall will most likely be able to help if configured competently.