What could Internet providers do to prevent and mitigate DDoS attacks?

ISPs do provide DDoS protection to their customers, but providing ddos protection is not their primary focus, they can’t handle larger volume of ddos attacks. Same with the cleanpipe services: Why Clean Pipe Is Not So Clean

During a DDoS attack traffic that blocks the internet pipe of a protected organization, the ISP of an organization diverts this attack traffic to an MSSP(Managed security service provider) to identify the malicious traffic and drop it. This diversion process requires human intervention and takes at least 15 minutes in which the enterprise online services are not protected and are exposed to the attackers.

The ISP clean pipe services do not provide complete protection against the DDoS attacks. Firstly, they lack the capacity to handle just average size attacks, especially when it comes to Packet-based / Application flood attacks. Secondly, the cleaning center of an ISP can be attacked directly. If the IP addresses of the routers or mitigation devices in the cleaning center are known to an attacker, it may be possible to attack the cleaning center and render it useless in mitigating simultaneous attacks on their customers. Every time an attack to a customer is detected, re-routing techniques are needed to send the traffic to a center. When the attack subsides, the techniques must be deactivated. This incurs an overhead in reconfiguring routers. An attacker can potentially start and stop DDoS attacks for very short periods of time to many different customers to overload this router reconfiguration mechanism. As re-routing traffic for small amounts of attack traffic incurs too much overhead compared to the small harmful impact on server response time. Thus, only after detecting a large enough attack cleaning should be initiated. Further, once initiated, cleaning should proceed for some number of hours to dampen the configuration impact from rapid changes in attack patterns. Read Full article here…