[samplonius]

There is an incentive: it is the cost of transit. However, there usually are not a lot of zombies per single ISP for the access level ISP to even see any abnormal traffic.

The best thing is that access ISPs need to implement BCP38 (https://tools.ietf.org/html/bcp38). And shutdown all open recursive DNS servers. It would be great if Microsoft didn't ship such a retarded DNS server too. I would say that most ISPs do not do this.

NTP really should be replaced with something better. There are still large numbers of NTP amplification attacks going on. The big issue with NTP today, is that by default ntpd in daemon mode, is also a NTP server and responds to NTP requests. And so many of the two bit home routers run ntpd.

But the reality is, that no one is even reporting DDoSes right now. I work at an ISP, and I haven't seen a DDoS report in the past year. We pro-actively scan for open DNS and open NTP services. But many DDoS attacks just use regular HTTP/HTTPS, are hard to detect at the individual network connection level. Do you think Akamai sent out a single notice to any ISPs, saying "The following X IPs are sending excessive traffic to site Y, and are suspected to be part of a botnet"?