I think you've missed one thing - ISPs putting these filters in place prevents their customers from attacking other ISPs' customers (or at least, it makes it harder for them to get away with it). So, moving to an ISP that uses egress filtering doesn't help you. It only helps you if the bad guys can't find an ISP that doesn't use it. So, it costs an ISP money to apply egress filtering, but it benefits them only if most other ISPs apply it. If everyone does it, you get a better situation for everyone, but any one ISP not applying it saves themselves money by costing everyone else money. Tragedy of the commons, right?
That's where govenment intervention in the market can start making sense. Note we're not talking about government legislating specific measures. If they did that, (a) the ISPs would put their efforts into finding the most minimal, ineffective way of satisfying the rules, and (b) the next generation of DDoS tools would work around such measures withing months, and it would be probably four or five years until regulation caught up.
What we're talking about is changing the balance of financial responsibility in such a way that the free action of the market (which responds to the entire financial environment, including liabilities imposed by law) causes ISPs to seek out and use the most effective available measures. So, you say ISPs are liable for X percent of damages for DoS attacks originating from their networks, where it can be shown that proper diligence would have permitted them to block those attacks (or to have allowed the perps to be caught the first time, if this is a repeat attack). All of a sudden, instead of dragging their feet, ISPs will look for technical solutions, and the market will produce the most effective ones.
Here's an interesting example of this: in Beyond Fear Bruce Schneier refers to security against bank ATM fraud in the US and the UK. In the US, if a customer complains of fraudulent withdrawals on their card, the onus is on the bank to prove there wan't a fraud. If they can't prove it one way or another, the bank has to refund the customer's money. Result: the banks implemented countermeasures against ATM card fraud, because the fraud cost them money, and the fraud was drastically reduced.
In the UK, the onus is on the customer to prove they're not lying. So, in most cases, if a customer complains of ATM fraud, the (default) conclusion is they're trying to scam the bank, and they'll often get sent to jail for fraud themselves. Therefore it becomes most cost-effective for UK banks to ignore ATM fraud, because they can just charge customers for it, and if they protest, have them thrown in jail. Result: lots of ATM fraud, and customers mostly just silently accept the damages.
Bit of a digression now, but - it seems to me, most people who claim to be against government intervention in the markets, aren't really when you look at it closely. Bankruptcy protection is a perfect example of government interfering in the markets - poof! that debt doesn't exist! - but I think almost everyone thinks it's a good idea, most especially the "free market" fanatics. But if you really want to be consistent about the government staying out of the market, you'd have to be opposed to bankruptcy protection, as just another government interference.
So, if you (or a company in which your pension fund has invested your savings) go deep into debt, then you would stay on the hook for the debt; no state intervention to bail you out. And you (and maybe your children to the n-th generation till the debt is gone) would have to have your wages garnisheed, or, if you're not earning enought, just go into indentured servitude till it's paid off. Of course that's patently ridiculous. Everyone favours state intervention in the market, because in this case a truly free market doesn't favour human well-being, or even the long-term health of the economy as a whole.
[ Parent ]