[Perdition]

>Except there's no provable way to distinguish between "attack traffic" and normal traffic.

Depends on the DDOS method used. Stuff like the NTP abuse of a few years ago could be sinkholed without effecting any real users. HTTP DDOS has pretty low impact per node so most attackers use some form of amplification attack with other protocols.

[ethanbond]

Oh there are totally heuristics you can use. For example, limiting traffic from geolocations in which it shouldn't be showing high traffic usage (8 million hits per minute from China at 3am Beijing time?).

The key word is "provable."