[tachyoff]

ISPs absolutely could, but having worked near this space previously, it really isn't as easy as it sounds, both the detection and the mitigation, and ISPs are not particularly equipped to handle it themselves right now. There's a lot of money to be made there, though.

[codefined]

Being naive here, wouldn't a massive help be to not focus on detection of DoS/DDoS attacks but instead to focus on validating that IP addresses come from within the range of addresses being served by the ISP?

It strikes me that this would prevent a massive number of amplification attacks.

[sofaofthedamned]

OVH do, though i've never used it as I ceased being a customer a while ago.

There are still a zillion low-end bottom feeding web hosts who wouldn't do anything about this, though.

[always_good]

OVH only employs some heuristics. Which are next to useless because a percentage of a volumetric attack is still a volumetric attack.