How about this for a fix? Just thinking out loud here...
Let's make a protocol that allows a server to specify to its upstream ISP to cut off all traffic from a particular IP address. The ISP can either soak up the traffic, or go further up to its own upstream ISP and relay the request, and so on until the source of the attack is reached. Now it's between an IoT device owner and his residential ISP, it's up to them to sort it out.
To motivate all ISPs to play along let's make a law for each ISP to be financially responsible for failure to honor such requests, enough for a victim to pay for defense plus some %% in penalties.
Sort of an automated "Ceases and Desist" letter, and a failure to abide is an automatic tort.
Your typical large-scale attack has a few thousand IPs at most, so it's technically doable. All that's missing is the motivation for everyone to abide. With enough incentive hardware makers might accommodate, too.
It shouldn't be hard to tell a person from a dos robot. Person can authorize to get whitelisted, or solve captcha. Persons rate of requests is much lower than that of a bot.
The problem is what to do once abusive IPs are identified. Right now you will pay for all the bandwidth used.
Let's make a protocol that allows a server to specify to its upstream ISP to cut off all traffic from a particular IP address. The ISP can either soak up the traffic, or go further up to its own upstream ISP and relay the request, and so on until the source of the attack is reached. Now it's between an IoT device owner and his residential ISP, it's up to them to sort it out.
To motivate all ISPs to play along let's make a law for each ISP to be financially responsible for failure to honor such requests, enough for a victim to pay for defense plus some %% in penalties.
Sort of an automated "Ceases and Desist" letter, and a failure to abide is an automatic tort.
Hm?