>It's really hard to know what constitutes DDOS traffic at times. Suppose a Netflix show got really popular, do you cut it off. Let's make an exception for Netflix. What if a new competitor blahflix got popular quickly, Does its traffic get blocked?

Well, presumably companies have arrangements with their ISPs for expected usage and such. There can be a grace period as well, when you hit up the user and say "hey, you're using a lot of bw, is all well?" You also combine this with abuse reports from the victims if a DDoS is in fact underway. I don't think it's bad for an ISP to establish trust with a customer, either, this already happens with things like DMCA requests.

>Suppose DDOS happens from iot devices. One of this is an important medical device that got hacked. Do you auto shut it down and block it's traffic. What about the life critical device under same IP through NAT that is secure also getting blocked?

Life critical devices aren't exposed to the internet. IoT users should get throttled and receive a comminication from their ISP telling them they have a malicious device on their network with advice on how to fix the problem.

"One of this is an important medical device that got hacked"

If someone puts "an important medical device" on a network directly accessible from the internet, or on the same network as other IOT crap devices, they should be banned from ever working with computers.

You punish origin address forgery. That's enough.

If you are under attack and nobody is forging their origin, it's only a matter of you talking with your ISP to block the offenders.