So, after thinking about this a little more, there is nothing preventing the Botnet operators from doing a DNS lookup and simply targeting the new IP address. However, that would let us weed out legitimate traffic from botnet traffic over enough iterations. ISPs could have a three strikes rule for clients. 1st time you attempt to contact an IP address on the DDoS target list, strike one, most "strike one traffic" is probably legit, people pressing F5 trying to reload the site, etc. Strike two, and you start to see exactly which addresses are following the DNS chain and propagating the attack, by strike three+ (if ISPs are reporting their "repeat offenders" to a central clearing house), you have a pretty decent picture of all the end nodes in the Botnet. You Null Route those, too, in a separate list. Same TTL expiration as the DDoS target list. When people call their ISPs to bitch, the tech on the other end notices the red flag on the account and asks the owner to kindly unplug their smart toothbrush (or whatever brain dead IoT device is being utilized) if they would like to have their internet turned back on. Avoiding false positives on Botnet membership would require the targeted site to put up some kind of "This site is under attack!" notice so people know to stay clear while the members of the Botnet are identified and blocked.