Comment Exactly, but there's more (Score 1) 594
This works for any upstream sessions that you initiate, and those downstream sessions that are controlled by e.g. TCP sliding windows.
Downstream bandwidth limits don't help much. If compromized nodes DDoS you from outside, the only thing that helps is to have packet filtering for sources that trigger the alarms based on traffic patterns matching known attacks.
All this downstream packet processing loads your ISPs access router and may easily produce false alarms, filtering traffic that you want to have. Managing the access router filter on a case by case basis from your own node would increase the complexity of the system, so not feasible either.
Seems the ISP just has to cut the troublemakers out if it can to attack the source of the problem
Downstream bandwidth limits don't help much. If compromized nodes DDoS you from outside, the only thing that helps is to have packet filtering for sources that trigger the alarms based on traffic patterns matching known attacks.
All this downstream packet processing loads your ISPs access router and may easily produce false alarms, filtering traffic that you want to have. Managing the access router filter on a case by case basis from your own node would increase the complexity of the system, so not feasible either.
Seems the ISP just has to cut the troublemakers out if it can to attack the source of the problem
