could router protocols add in a "firewall" feature, or could there be a distributed firewall layer on top?
the way it would work is this: when I block your packets, I could transmit that rule back to routers along the way to say, "this packet is going to get dropped on the floor when it gets here, so don't bother sending it".
This rule could leapfrog its way back as close to the source as the various ISPs wanted, and could generate punishments or charges if they wanted.
Yes, I'm aware of the obstacles. Packets arriving wouldn't necessarily route the same way back and you'd really need to know the route they took. But, without just throwing the whole idea out, could you consider it in "brainstorm" mode: is there merit to the idea? would their be any other benefits?
It's potentially a lot of rules for routers to keep track of, but they could be LRU or weighted some way that only persistent DoSers would stay in the table. I haven't really thought about how to handle timeouts...
There is the potential for spoofing abuse--but it's actually a way to find spoofing abusers.
ISPs or backbone providers could transmit it without observing it, but observing would be in their interest: why carry the packets that don't need to be carried? Their own users would benefit too.
It would be useful for more than just IRC or other singular protocols, blocking spam, etc. It would have been a way for kuro5hin to transmit the info that it was being DoSed to a bunch of routers along the way. The humans out there in admin land didn't care or couldn't be bothered, but machines are friendlier servants in this respect. I like this sort of solution because it is not centralized, but it does not lose the individual (person, server or network) in the ocean of the internet.