Rextended, we've tried it both ways. Doing all the shaping at the border results in the router getting overloaded so we distribute the load.
And we are doing okay. The next time, if you want to ask a question about our strategy, just ask the question. Don't be a *****.
Rextended is 100% correct. If you mitigate (inbound) DDoS traffic somewhere inside your network, then however many links it takes to carry the flood to your scrubbing system will be overloaded. Scrubbing right at the front door will stop your internal infrastructure from being burdened with the load. If you carry your users' upstream DDoS traffic to a scrubber, then whatever region of the network they're on will also be affected. You don't want to carry DDoS flood traffic even 1 hop more than required.
If the CPU of your upstream border router isn't beefy enough to handle the shaping on a DDoS flood, then you can try filtering the traffic entirely, and if even this isn't possible (due to the attack being completely random ports) or if even this overloads the CPU, then your only remaining option is to blackhole route the target IP until the storm goes by or else you can get your service provider's help in filtering the traffic before it reaches your network.