But in the telco world, how often do you have people's home phones trojanned and directed to 'DoS' another company? To pull that off with great magnitude, you need a whole lot of coordinated access to the physical plant, which is either impossible or extremely noticeable. But in a scenario like that, if a telco user gets their access canned, it's most likely because the telco user themself was abusing their privileges, not getting abused by some random fool attacking another user/company via their facilities just to swing their nuts around anonymously. But don't get it twisted, I agree with your idea of cooperation and tracking but this is like chasing suicide bombers. You can kill a drone or two or fifty, but new ones will pop up in their place. You can kill the drone controller, but the drones will continue to execute their mission as they were doing before, but now, without any method or controller to tell them to stop attacking. Not to mention, by cutting off the drone's Internet access, regular users get caught in the crosshairs of the drone hunters. At the same time, if you tell a user their computer is trojanned, but you would like to bait it to catch the culprit, they'll get worried about their personal data and either go on a formatting campaign, or abandon the computer altogether (trashing it, selling it, giving it away, etc). I think one way to definitely help is by user education. ISPs should kick out newsletters or advisories to their users, informing them of the latest scam, spam, or exploit and how to protect themselves from it or how to determine if the user is a victim of the exploit in question. This is where telcos (with fraud departments) are usually successful, every now and then you'll get some sort of info on the latest trend to watch out for. You either get it directly from the telco, or from some other 3rd party source that got it from the telco or another person (examples: news, community bulletins, office e-mails, etc). Too often do new users get brand spanking new Internet access, and maybe a trial version of anti-virus software and the ISP calls it a day, then the user is left to wander through the wilderness. Another big plus is network cooperation. Too often have attacks gone unnoticed until someone becomes a target of the DoS and then throws a fit over how no one is doing anything. (No, I'm not singling anyone out). Granted, the general response to Slammer was better than usual, but how often do companies with small T1 customers getting smacked with 10-200Mbps get to prosecute or even at the least, identify the attacker before, during, or after the filtering? Let me stop now, this e-mail is way too long.