Solutions

Operational: do not configure 6to4 relay router whenever possible
Don't run relays, if you don't need it
Operational: have registry of 6to4 relays, to make checks possible
Example: require relays to have special DNS records on in-addr.arpa tree
May make deployment a bit harder

Operational: perform IPv4 ingress filter against IPv6 src, when IPv6 src is 6to4 prefix
both tunnel encap and decap
Protocol: invalidate the following 6to4 prefix (incomplete but useful)
2002:0000::/24
2002:7f00::/24
2002:e000::/20
2002:ff00::/24
6to4 prefix that maps from subnet broadcast
(not complete since we can't check remote broadcast)
If anyone see packets with any of these, drop it
Operational: require IPv4 AH between 6to4 relays
Buys too little with too much cost
Relaying still needs great care