[blueish]

I had a conversation with a friend about this, and the outcome was the idea that BGP could be extended with functionality for this case. There needs to be a way to brand "negative" traffic or routes advertised with some sort of reputation system. In the event of a DDoS attack coming from an AS, you could have intra-AS weight for any given AS such that if an AS reports malicious traffic from a route, it's given a lower weight and traffic is less likely to route to that AS in favor of a less specific prefix. This would encourage any given AS to act in desirable ways, as their actions (or actions coming from within them, e.g. a customer of theirs being the source of a DoS attack) would have consequences.

[akerl_]

How would that work in practice? If I compromise a pile of IoT devices running on Comcast users' networks, and use them to launch and attack, all Comcast users on their subnet get marked as uncool? And if we're marking them as "bad", doesn't that mean all of their BGP peers mark them as uncool and then the weights for their prefix are lower but still even, so routing still ends up the same?

The only way they'd be impacted would be if some networks didn't implement your bad-actor-prefix-weight-mod, and then we'd just be penalizing the people who don't use your system along with the attackers, since we'd be routing the bad traffic via their networks.

[voltagex_]

You can see the impact of this kind of thinking in RBLs and blocklists - try to send email via your residential connection and you probably won't be able to.

[AndyMcConachie]

You might be interested in the DOTS working group at the IETF.

https://datatracker.ietf.org/wg/dots/charter/