[johncolanduoni]

Large DDoS botnets will have hundreds of thousands of return-path-capable IP addresses. Your temporary blocks will have to be very sensitive (i.e. trigger on a relatively small number of requests within the time window) for an application-level DDoS to be usefully mitigated.

[gzread]

So how does your other plan solve that?

[johncolanduoni]

Once an IP in a botnet attacks someone, it ends up on a blocklist and can’t attack anyone else who uses that blocklist. This is a big part of Cloudflare’s DDoS model: if you attack one CF property (with non-volumetric DDoS) you will not be able to attack any others with the same bot for an extended period. This makes attacks to CF properties limited in scope and way more costly, because you have to essentially “burn” IP addresses after sending relatively little traffic.

[gzread]

How long does it take for a whole major ISP, say Verizon, to get on your blocklist?

[johncolanduoni]

Considering nobody blocks the entirety of Verizon, apparently a long time. You can act like this is some insane plan, but it’s happening all the time and while it can lead to annoyance for end users the internet chugs on. Which it wouldn’t if there was no way to mitigate DDoS other than rate limits.