[rdl]

It seems like some eyeball and distribution networks should get together and run a private subset of the Internet, with good filtering (BCP38 style), etc. internally. You could get pretty good coverage with just ~10 eyeball networks in the US, a few cloud providers, and maybe some key infrastructure. Operate normally most of the time, but when under attack, be able to fall back to just vetted networks, transports, and routes, at least temporarily. Then have a limited number of hardened gateways, the way NIPRnet does with the civilian commercial Internet, which are used in intermediate-level attacks.

Opt-in, maybe have an association run it (like an IX, but without the expensive dinners and dues and general activism which inflates IX budgets), etc. This would do more for "critical infrastructure protection" than anything DHS/NSA/FBI have ever done.

[zitterbewegung]

So, these DDOS attacks take advantage of IoT devices so how would you tell the difference using vetting when they are on the same networks as regular users?

[zzleeper]

I would just ban the ips for 24hrs if I detect an IP that is part of a ddos. After that people will wise up and unplug their nanycam/toaster/iotwhatever

[micaksica]

You're assuming that people will know or be able to guess what is compromised. Assuming multiple IOT devices the average user won't have any clue, and will think they just need to run antivirus on their Windows box.

[rasz_pl]

who cares?

[rdl]

Prune at the link level. Connect to people you trust to do so using a special community (or really, physical infra). It is ok if bank A to bank B communications get protected in a way which eliminates Bank A and Bank B connectivity to even 20% of legitimate end users in emergencies.