See, is there a practical way to "fix" the problem behind a DDOS? More specific attacks (slowloris, SYN flood, ping of death, smurf, and a laundry list of other stuff) can be fixed by simply introducing changes to the infrastructure that makes such things possible.
But a DDOS attack is, at heart, nothing more than a brute-force attack - flooding a single website / IP with so much traffic that it can't respond. No matter how much fancy technology you add, if you have a 100Mbps link, and someone's sending 1Gbps of data at you, you're out of luck.
And, yes, I realize that there are companies that specialize in protecting against DDOS attacks - generally, they move content to a CDN and use some intelligent filtering to drop packets (i.e. people that request multiple times in succession, etc.). But this still is reliant on the fact that their connections are large enough that they can actually process all this data.
If a large country decided to use all it's available Internet bandwidth to DDOS, there's not much anyone can do about it.
In short: DDOS attacks will likely always be around - they might require higher bandwidth (country-scale or thereabouts), but it's not "fixable".
So let's think about how traffic gets onto the network and what steps might make sense to limit that. I have some "crazy" ideas about this including per device reputation enforced as close to the device as possible. Yes, if we say that anyone with any sort of device can send data to anyone then this will be a problem. There are other options including different sorts of "darknet" type things. Are there no "outside the box" type solutions that you can think through the tradeoffs for? I think the underlying assumption you're working with, that anyone anywhere on the network should be able to drop an unlimited amount of data onto the link headed to me as a rule of how things must forever work needs to be justified.
Yes, that would be a valid solution - authenticate every device, or provide a per-device reputation. But this has a couple of problems that I can think of:
1. Per-device reputation removes the concept of anonymity. If I can look up the "reputation" of the device that sent me a packet, I can track it perfectly too.
2. Authenticating every device (beside the practical challenges) is very inconvenient. What happens if I move countries? Buy a new phone? Or a new network card?
And there's more issues that I won't list :)
Problems aside, I agree with the statement: "the underlying assumption [...] that anyone anywhere on the network should be able to drop an unlimited amount of data onto the link headed to me [...] needs to be justified".
I think the most practical solution to this would simply be forcing ISPs (through legislation would be best) to look a little closer at their traffic. If I'm running an ISP, and I see a computer making 100 requests/second to a single website for more than a minute, I'm immediately thinking "DDOS". Yes, there's privacy issues, but most ISPs already do some sort of traffic shaping (see: Sandvine), so it shouldn't be that much of a stretch.
It'd need the help of browsers or OS's (depending on where in the stack you put the logic), but one idea might be to require requests/packets to be signed by something that proves a sufficient amount of CPU work has been done (ala bitcoin). If the site comes under attack, they could turn this on (presumably with a middle-man service that can take high bandwidth) and up the amount of work required to reach the destination. This would no doubt slow things for the legitimate users, but it could make things much more difficult for the attackers.
This really doesn't solve the DDOS problem though. It's throwing more CPU time and bandwidth at a scenario that already requires both of those. It can slow a small group of script kiddies making a thousand requests to your server per second, but it doesn't stop an actual distributed attack using a botnet or large numbers of machines.
If you're adding the signatures, you presumably need to spend CPU time to authenticate it, and bandwidth to send the data, plus the actual content. Why not just have the middle-man soak up the extra requests, cache the data, and fan it out that way?
A long time ago I read/watched something about a group that works with ISPs around the world to nail down the source of DDoS attacks and stop them, but I don't remember anything else.
But a DDOS attack is, at heart, nothing more than a brute-force attack - flooding a single website / IP with so much traffic that it can't respond. No matter how much fancy technology you add, if you have a 100Mbps link, and someone's sending 1Gbps of data at you, you're out of luck.
And, yes, I realize that there are companies that specialize in protecting against DDOS attacks - generally, they move content to a CDN and use some intelligent filtering to drop packets (i.e. people that request multiple times in succession, etc.). But this still is reliant on the fact that their connections are large enough that they can actually process all this data.
If a large country decided to use all it's available Internet bandwidth to DDOS, there's not much anyone can do about it.
In short: DDOS attacks will likely always be around - they might require higher bandwidth (country-scale or thereabouts), but it's not "fixable".