It's really hard to know what constitutes DDOS traffic at times. Suppose a Netflix show got really popular, do you cut it off. Let's make an exception for Netflix. What if a new competitor blahflix got popular quickly, Does its traffic get blocked?

Oh wait now blahflix needs to pay $$$ to get special privileges. Shit gets hairy real quick.

Suppose DDOS happens from iot devices. One of this is an important medical device that got hacked. Do you auto shut it down and block it's traffic. What about the life critical device under same IP through NAT that is secure also getting blocked?

ISPs should remain dumb pipes. You really don't want to give comcast more power.

>It's really hard to know what constitutes DDOS traffic at times. Suppose a Netflix show got really popular, do you cut it off. Let's make an exception for Netflix. What if a new competitor blahflix got popular quickly, Does its traffic get blocked?

Well, presumably companies have arrangements with their ISPs for expected usage and such. There can be a grace period as well, when you hit up the user and say "hey, you're using a lot of bw, is all well?" You also combine this with abuse reports from the victims if a DDoS is in fact underway. I don't think it's bad for an ISP to establish trust with a customer, either, this already happens with things like DMCA requests.

>Suppose DDOS happens from iot devices. One of this is an important medical device that got hacked. Do you auto shut it down and block it's traffic. What about the life critical device under same IP through NAT that is secure also getting blocked?

Life critical devices aren't exposed to the internet. IoT users should get throttled and receive a comminication from their ISP telling them they have a malicious device on their network with advice on how to fix the problem.

"One of this is an important medical device that got hacked"

If someone puts "an important medical device" on a network directly accessible from the internet, or on the same network as other IOT crap devices, they should be banned from ever working with computers.

You punish origin address forgery. That's enough.

If you are under attack and nobody is forging their origin, it's only a matter of you talking with your ISP to block the offenders.

This is a noble ideal that will never actually fly in practice. I can protect my site against DDoS by correcting architecture issues with one small set of companies: the hosting providers that my site sits behind, and the computers and architecture that make my solution work.

You're proposing that I protect my site by rewriting the rules for internet across the entire planet and punishing every single visitor (thousands upon thousands!!) who doesn't play by some new arbitrary rules that we then have to get everyone to agree on.

No, the ISPs should not be made to correct this kind of behavior, because it will be an eternal game of cat and mouse, and we've proven that the attackers can get around said blocks quite easily. Heck, often the "attackers" are grandma and grandpa types that clicked on a bad link and didn't know any better. Instead, we're taking the right approach here: identify bad incoming traffic at the destination, and drop it before it hits the backing servers. That's a solution we can actually reasonably apply.

I don't agree with a lot of what Cloud Flare is doing, and I really wish we had more than one service like it that was as popular as they are, but they are doing good work. They're solving a huge need within the industry. I believe there should be more competition in the space, but I refuse to believe that the overall approach is inherently bad when it obviously works.

The solution can't be to hurt innocent traffic because a malicious user has some of the bandwidth. I agree some ISPs are complicit in the situation, but tit-for-tat approaches ultimately will hobble ISPs and create an irate and a distrustful internet. Even if you do create a magical technical solution that solves all the challenges without hurting bystanders, then you face an even bigger challenge: the status quo.

There is no way to get from our current situation to the world you propose - there will be never be a quorum from ISPs (or governments) on this sort of standard. It's a tragedy of the commons and no single participant has enough leverage or interest in a new status quo.