[AnthonyMouse]

The problem with this logic is that ordinary users don't become the target of a denial of service attack either. If it should exist at all, the default should be off. And if then no one would turn it on, it could just as well not exist.

[jcrawfordor]

Ordinary users become a target of DDoS way more often than you would think. These days it tends to be related to competitive multiplayer video games, but I'm sure there's still some IRC drama and small-time Minecraft hosting driving it.

In general it's extremely unlikely unless you are engaging in "high risk behavior," but at the scale of an ISP there are enough users doing that kind of thing (Twitch streaming, etc) that it becomes an appreciable frustration for your network operations.

[AnthonyMouse]

> These days it tends to be related to competitive multiplayer video games, but I'm sure there's still some IRC drama and small-time Minecraft hosting driving it.

This sounds like the sort of thing with similar prevalence to things like running a Tor node. This might even be an example the other way, when your game server or what have you has thousands of peer connections and this thing breaks it by misinterprets that as a denial of service too.

[phantomread]

I might be misunderstanding but doesn't the feature also help prevent home users' devices becoming part of a DDOS effort (high number of outbound connections)? There's stories here on HN about IoT devices and infected PCs/phones participating in DDOS on command. So I can see an argument that a home gateway device should try and help prevent participation by devices behind it.

[AnthonyMouse]

In cases like that the correct answer is to detect weird behavior and call the customer on the phone to ask what's going on. If they say they know what it is because they're running Tor or hosting Ubuntu ISOs or playing P2P games or whatever, you don't have to do anything.

If they say they have no idea what you're talking about, you get to tell them they're infected, so they actually fix it instead of typing their bank password into the infected box the next week because you automatically removed the "huh, internet's slow" that might have led them to investigate it otherwise.

[phantomread]

I like your idea and agree that implementing it would improve outcomes for customers. However, the ISP would be on the hook for additional customer support; it's a lot more involved to outfit your call center staff with playbooks for explaining exploited devices to an average customer than it is to toss in a semi-autonomous blocker. This does make things worse for "power users", but ISPs may have also found that said users are more willing to pay for special service agreements (a small business account for example).

[zokier]

> The problem with this logic is that ordinary users don't become the target of a denial of service attack either

I suspect the concern is not that ordinary users would be targets, but that ordinary users would be sources of ddoses (by being part of botnet)