Your comment underestimates the task of remediation. Sure, we can very easily get a list of DDoS source IP addresses. Any decent network operator can get a list of flows matching some DDoS criteria and generate a report of IP addresses.
In the case of this TP240 attack, you're talking about ~2600 independent businesses across the world. Assuming you are able to determine the actual source of the traffic and work with a vendor to patch it, you're still tasked with somehow getting 2600 businesses to patch their systems or modify firewall rules.
In the case of the memcached amplification attack, Cloudflare saw upwards of 5800 source IPs in the attacks, and Shodan reported nearly 88000 IPs responding on port 11211 [1]. Tracking down the owners of 88k installations across public clouds, businesses, probably some residential networks, is a monumental task. There's nothing easy about it.
> you're talking about ~2600 independent businesses across the world. Assuming you are able to determine the actual source of the traffic and work with a vendor to patch it, you're still tasked with somehow getting 2600 businesses to patch their systems or modify firewall rules.
You can be sure that by only null-routing their entire C-class, adjacent customers will loudly complain to the operator who will quickly identify the source and disconnect it. The best way to deploy fixes on the net has always been to first disconnect them. This way you don't have to convince anyone, it's done the other way around. Typically the CEO will instantly throw all the phones to the trash to get the net opened again.
Unless you have coordination with the network operators on which those amplifiers are sitting, your null-routing of the amplifier in your own network isn't going to stop it from attacking other targets. If the amplifier is something like a DNS server, then your collateral damage isn't just "adjacent customers", it's potentially thousands of other users and resolvers on your own network. If those amplifiers are on a cloud service provider like AWS, you're going to potentially inflict even more pain onto your own paying customers who will no longer be able to communicate with AWS. You will essentially perform the DoS they were aiming for.
In the case of this TP240 attack, you're talking about ~2600 independent businesses across the world. Assuming you are able to determine the actual source of the traffic and work with a vendor to patch it, you're still tasked with somehow getting 2600 businesses to patch their systems or modify firewall rules.
In the case of the memcached amplification attack, Cloudflare saw upwards of 5800 source IPs in the attacks, and Shodan reported nearly 88000 IPs responding on port 11211 [1]. Tracking down the owners of 88k installations across public clouds, businesses, probably some residential networks, is a monumental task. There's nothing easy about it.
[1] https://blog.cloudflare.com/memcrashed-major-amplification-a...