Most ISP's wouldn't have to deal with this problem if corporations took the time to release better products.
The average corporation is in business to make money. Releasing a better product than is required to enable revenue and deal with competition would be irresponsible to their shareholders. But let's stay out of that rathole on this latest trip down this topic.
I was faced with the question of "What do you do for infected clients?" What can an ISP do.
1. Do BCP38. Have your CFO read SAC004. Implement source address validity checks. Ensure that the ~50% or more of DDoS packets generated in the world that has invalid source addresses cannot come from your network -- this will make botnets made up of your clients less valuable in the ddos-for-hire world -- in other words, malfeasants will try less hard to create them, and other malfeasants will pay less to acquire them. 2. Filter aggressively. Run a dark-net, and if one of your customers hits it, blackhole their /32 for both inbound and outbound traffic, flag their record in your customer database, and wait for them to call. When they call, give them a list of anti-virus products for their 'puter, and the phone numbers (yes, sorry, no web access for them at the moment) of some vendors. This will cost you some top line revenue, but save your margins.
... Yes their is little that can be done right now, but yet there ARE things that CAN BE DONE. ... I say nip it at the bud, if you're an upstream provider and you see some of these issues, three strikes shut these things down, or nullroute them, don't just sit twiddling your thumbs "Oh but that won't help your idea is silly because foo_x reason." ...
Yea, verily. This is not an impossible problem for this community; it is only an impossible problem for any one of us acting totally independently. And while the solution isn't instant, the tide CAN be turned. -- Paul Vixie