ISPs should implement BCP38 (prevention of spoofed traffic originating from their networks, in short) but when a device is compromised, it doesn't necessarily have to spoof traffic at all.
ISPs have thin margins, and get paid to push bits. DDoS mitigation services are extremely expensive not because they are complex or novel but because they require significant resources (both in hardware and in software expertise).
If manufacturers are going to sling "shit" and we can't hold them accountable; consumers are going to buy the polished turds and we can't prevent them plugging it into their networks; and ISPs have little to zero incentive or ability to "filter out the bad traffic" then we're basically looking at a 5-10 year span of increasingly detrimental, expensive, and effective denial of service attacks.
Why aren't the major backhaul providers like L3 forcing this as part of their pass through agreements? If the ISP cannot invest enough to follow the simplest of best practices then why do they allow them to connect? Seem dangerous for the backbone people.
because none of them can and none of them have a financial interest to do so.
Default free providers such at NTT, GTT, Zayo/AboveNet, Level3/Global Crossing, ATT, CenturyLink/Qwest, Deutsche Telekom, Vodafone/Cable & Wireless, and others commonly (but incorrectly) known as Tier 1/"backbone" providers peer with other networks in a settlement free (no money is exchanged, or, on an accounting basis, everything zeros out) fashion because they are "peers" in the strictest sense: same size, same reach, same markets (mostly...)
ISPs have thin margins, and get paid to push bits. DDoS mitigation services are extremely expensive not because they are complex or novel but because they require significant resources (both in hardware and in software expertise).
If manufacturers are going to sling "shit" and we can't hold them accountable; consumers are going to buy the polished turds and we can't prevent them plugging it into their networks; and ISPs have little to zero incentive or ability to "filter out the bad traffic" then we're basically looking at a 5-10 year span of increasingly detrimental, expensive, and effective denial of service attacks.