Headless-browser DDoS: How to Flush Out a T-1000

Browser-based botnets are the T-1000s of the DDoS world. Just like the iconic villain of the old Judgment Day movie, they too are designed for adaptive infiltration. This is what makes them so dangerous. Where other more primitive bots would try to brute-force your defenses, these bots can simply mimic their way through the front gate.
So how do you flush out a T-1000? How do you tell a browser-based bot from a real person using a real browser?