The ISPs can tell that someone is missbehaving when their upstream informs them their IPs are taking part in a DDoS.
This information can trickle down from the tier one that presently just blackholes the victim.
Nobody says that infrastructure that was designed in the late eighties can't be improved upon with additional functionality, namely passing top down information about missbehaving network ranges and or IPs.
As an ISP you already see devices on your network sending traffic in unusual patters, and when receive the warning that they are part of a DDoS you shut them down. If not, your whole range goes down, etc.
Given that right now we can't even verify BGP announcements which are a more critical target, I don't think we can tackle blocking. We'd need a realtime notification system which is not spoofable and has the ability to almost instantly boot anyone off the internet... and it needs to be reachable by nation-controlled ISPs. That's really a massive problem to solve and ensure it's not used for any other purpose. We haven't even established the trust/signing at that level yet. (see the nation-controlled CAs getting booted for spoofing domains)
This information can trickle down from the tier one that presently just blackholes the victim.
Nobody says that infrastructure that was designed in the late eighties can't be improved upon with additional functionality, namely passing top down information about missbehaving network ranges and or IPs.
As an ISP you already see devices on your network sending traffic in unusual patters, and when receive the warning that they are part of a DDoS you shut them down. If not, your whole range goes down, etc.
Let's add a fourth to the three-napkin protocol.