Most/all ddos attacks come from unwitting people whose computers or iot devices have been taken over on the order of tens or hundreds of thousands of devices. So there isn't much that can be done beyond filtering or having a large enough pipeline to absorb the traffic.
Even if you had a central authority cutting off access from ip addresses, do you cut off whole university campuses because someone's "smart" coffee machine is participating in a ddos or entire businesses because there is a computer in a closet somewhere that is infected?
We talked about this problem when I worked at a telco. The problem isn't necessarily cutting of the devices that are part of the attack, it's dealing with the aftermatch.
As sad as it is, most people won't understand that their device have been effected, and the telcos won't be responsible, financially, for paying to do the cleanup or verification.
> Even if you had a central authority cutting off access from ip addresses, do you cut off whole university campuses because someone's "smart" coffee machine is participating in a ddos or entire businesses because there is a computer in a closet somewhere that is infected?
I think the solution is probably similar to the sorts of laws that we have for dealing with pollution and similar bad behaviour. Start with warnings and education, escalate to fines and other penalties, and only escalate to outright bans in the worst and most recalcitrant cases.
That's never going to work but it very well could lead to ISPs very strongly herding customers to use their own managed routers. They already push for that for customer support purposes, using this to start automatically snooping on "malicious" traffic within a customer's network would be a big step in the wrong direction.
You could make a compromise here and require ISPs and network vendors to support a common notification protocol to identify devices sourcing malicious traffic. Most ISPs already have systems in place to send notification messages to customers that are sending botnet traffic. You could mandate it for all of them and let the customer decide if they want their router configured to automatically block a device they were notified about or just record the MAC address and send the ISP a URL the user can visit to view the device sending the traffic. You could make it friendly to the unwashed masses and still put detection on the ISPs and not give them privileged access inside every customer's network.
> home router makers could intervene here and let their owners know when they’ve likely been hacked
How?
A couple of years ago I had an email from our ISP telling me that "common port X is open on your router" (forwarded to a box exactly as I set it up) and asking if I could "fix the problem".
Except it wasn't a mistake or a configuration error, I deliberately set it up that way.
Even if you had a central authority cutting off access from ip addresses, do you cut off whole university campuses because someone's "smart" coffee machine is participating in a ddos or entire businesses because there is a computer in a closet somewhere that is infected?