If a customer is infected, then the problem is on their end. The fact that they don't have throughput is their issue, not that of the provider's.
Many, many customers don't understand this - if they don't have throughput, it's the provider's problem and the provider has to fix it. One of the reasons I'm not providing anymore.
As for collateral damage, proper monitoring of the entire network and early warning systems allow engineers to hopefully stop the problem before it goes critical. The spool up on this worm was massive and effected some networks too fast to prevent them going critical. However, tracking and resolution should easily have been within the SLA windows.
I've seen various references to this worm firing off and saturating networks worldwide within 1 minute... if *that* isn't scary, I don't know what is. It shows that someone, with the right tools and enough vulnerable servers can take out a good portion of the Internet in seconds. And how can we predict *every* possible issue and block it?
My policy: Hmm, I'm not sure. *ring* Dude, wake up. It's a critical outage. The whole network is collapsing. Think! *rambles for 5 minutes* Oh, wait. Never mind, I got it. Go back to sleep. Thanks.
I think there's only so much one can do in advance. Sure, we all know we shouldn't have these servers exposed, but again, many are in the position of having to leave them open to some extent - case in point, I have a developer who uses dialup (because he's in the sticks in northern Georgia, and nothing else is available, and he's a skinflint who uses the free or nearly-free dialup providers)... he's also not going to use a VPN... he'll just bitch because he can't get to the server. More cases where you do what you have to... a couple of years ago, when I *was* doing the provider bit... I blocked the netbios ports on the border. You have no idea what a cry went up from customers... they *want* to share drives over the Internet, and didn't care what risks might be involved. It was, to them, too complicated and/or expensive to do it via a VPN. So I ended up having to open them back up, but kept them blocked to my own machines. Sometimes the best you can do is explain the risks, and then let the customer do what they will. Until they're causing problems... of course at that point you can cut 'em off (how many of you shut down customer boxen last night?). I'm no great thinker, and having said that, I'm just not sure we can protect everything/everybody.