Filed under "this is why we can't have nice things" --- How about: upgrading "home" routers to offer some form of packet inspection? Yes I know that sometimes the routers themselves are enlisted in the attack. However, it appears that many IoT devices are setup inside the home/business and are insecure. And homes are adding more IoT devices than they are adding routers - thereby increasing the available munition surface area. Usually it is 1-router and (n)-IoTs.
Maybe this is a trivial solution - but couldn't router software enforce a few simple restrictions on properly formed outbound packets?
Or wait - we don't need to upgrade the routers. Instead change their Gateway to send traffic to scanning device. Although one has to wonder if the likes of Comcast have IPS.
And since DNS seems to be in vogue - might DNS servers start asking themselves "why does server x.y.z need 1-bazillion replies to the same entry?"
However, these ideas only resolve the (current) symptom. The basics of the internet may need to be rethought - a super IPSEC? It wasn't that long ago that open mail routers posed a similar threat and opportunity for spammers (yes - the game has since moved to "legit" robo-inboxes). As the network grows attackers will continue to find ways to break it. A "single" person can take over the whole network. Things like blaster/code-red took over whole corporate networks from inside. Now these attacks are outside and treat all domain systems as one giant inside-system.