where you lose me is where "the attacker must always win".
Do you have a miraculous way to stop DDOS? Is there now a way to quickly and efficiently track down forged packets? Is there a remedy to shutting down the *known* botnets, not to mention the unknown ones?
there are no silver bullets. anyone who says otherwise is selling something.
The attacker will always win if he has a large enough attack platform/...
While all this is worked out, we have one solution we know works.
"we had to destroy the village in order to save it."
If we null route the victim IP, the traffic stops at the null route. Since most attackers don't care to DOS the ISP, but just to take care of that end point, they usually don't start shifting targets to try and keep the ISP itself out.
if you null route the victim IP, the victim is off the air, so the DDoS is a success even though it mostly does not reach its target. you're proposing that we lower an attacker's costs. in a war of economics that's bad juju, and all wars are about economics. there are no silver bullets. isp's who permit random source addresses on packets leaving their networks are creating a global hazard, and since they are defending their practices on the basis of thin profit margins it's right to call this "the chemical polluter business model." as long as the rest of us continue to peer with these chemical polluters, then anyone on the internet can be the victim of a devastating DDoS at any time and at low cost. that's not a silver bullet however. if most ISP's controlled their source addresses there would still be DDoS's and then the new problem would be lack of real-time cooperation along the lines of "hi i'm in the XYZ NOC and we're tracking a DDoS against one of our customers and 14% of it is coming from your address space, here's the summary of timestamp-ip-volume and here's a pointer to your share of the netflows, can you remediate?" the answer will start out just like today's BCP38 answer, no we can't afford the staff or technology to do that, and then lawyers would worry about liability, and we'd all have to worry about monopolies, censorship, social engineering, and so on. in all of these cases the problem is the margins themselves. just as the full cost of a fast food cheeseburger is probably about $20 if you count all the costs that the corporations are shifting onto society, so it is that the full cost of a 3MBit/sec DSL line is probably $300/month if you count all the costs that ISPs shift onto digital society. the usual argument goes (and i'm just putting it out here to save time, though i'm betting several respondants will not read closely and so will just spew this out as though it's their original idea and as though i had not dismissed it many times over the decades): "we cannot build a digital economy without cost shifting since noone would pay what it really costs during the rampup". i don't dignify that with a reply, either here in effigy, or if anyone happens to trot it out again.