This is actually one of the main uses for the ISP/telco product appliance sold by my employer, Damballa. The appliance reports client IPs which appear to be infected with malware to the ISP, who then reports this their affected customers by whatever mechanism the ISP prefers.
This particular DDoS I actually believe is _not_ due to a botnet, or at least believe there is insufficient evidence either way. The attack appears to be using a technique/infrastructure I’ve been passively tracking for nearly a year, wherein the attack DNS requests are spoofed to appear from seemingly-random clients and sent to open recursive DNS servers across the Internet. This makes the attack look like a botnet to superficial analysis on the target side, but this isn’t necessarily the case. In the small amount of time I’ve so-far invested in trying to track down the origin, I have yet to observe generation of the initial query packets.
This particular DDoS I actually believe is _not_ due to a botnet, or at least believe there is insufficient evidence either way. The attack appears to be using a technique/infrastructure I’ve been passively tracking for nearly a year, wherein the attack DNS requests are spoofed to appear from seemingly-random clients and sent to open recursive DNS servers across the Internet. This makes the attack look like a botnet to superficial analysis on the target side, but this isn’t necessarily the case. In the small amount of time I’ve so-far invested in trying to track down the origin, I have yet to observe generation of the initial query packets.