In this case, the problem with any kind of technical workaround on the server side is that Baidu is under the jurisdiction of the government implementing the DDoS and is thus unlikely to be able to actively work to defeat it. If another country tried to do the same... well, that's what HTTPS is for.
That's fairly off topic - I mentioned that HTTPS is somewhat irrelevant here since Baidu is located in China, and anyway a forged certificate could not be used in a mass attack like this one since the issuing CA would come to the attention of browser vendors rather quickly. For the record, hopefully Google's upcoming Certificate Transparency feature in Chrome will help address the general issue, although who knows what kind of adoption it will have in practice.
