The sad part is that it was too late before the devices were even built. This is really no different than any other zombie botnet.
What is needed, IMO, is a standardized system for being able to report problems upstream—an ICMP response that says, in effect, "Suppress all traffic from x.x.x.x to y.y.y.y for five minutes" that propagates upstream. Ideally, it should use a three-step handshake to prevent forged block requests from being viable, where the recipient of that message waits until it sees a packet directed to y.y.y.y, (to avoid amplification attacks), then sends a packet that says, "confirm block id xxxx" and it responds "yes xxxx" after which it drops the traffic. If it gets no response, it should try three pings (with exponential backoff), and if they fail, it should assume that the server is saturated and it should block the traffic as requested. If they succeed and a subsequent confirmation fails, it should assume that the server doesn't actually support blocking requests, and that the blocking request was spoofed. If the response is "no xxxx", then the blocking request was spoofed, and the packet passes through with only that small extra bit of latency, and the blocking request is discarded.
If such a scheme were in place, then each botnet member joining in a DDoS attack would get blocked by their closest router, or at a bare minimum, by the router at their ISP, and would basically be unable to do any real harm.