The only way--the only way--to solve these issues is with web servers requiring that all clients authenticate with a credential that is provably tied to a real-world entity--person or corporate entity--so that legal recourse is available to the server owner when abuse occurs. The internet is no longer high-trust; we're running web servers the same way we'd run an honor-system store where people just come in and steal, anonymously, and with no recourse.
Aside from the obvious disadvantages of a non-anoynmous web I also don't even think it will work. How do you deal with identification and punishment of threat actors across the globe? We've been failing at that since the start. When was the internet ever high trust?
In reality, users will have to show passport to use the internet, while corporations will hide behind a "Corporate ID" that's whitelisted in all authenticator services, because those are also corporations. So you'll keep getting millions of requests from corp234 and corp456 with no legal recourse against them.
I don't know. Once I know the who the legal entity is who I assert is a bad actor, I'm not sure there is really an recourse to be had.
Your honor, these people are visiting my website in a way that makes me sad? I feel that we would need to encode bad behavior in a legally reasonable way first.
And not to mention that you'll have to bring legal disputes a legal entity at a time. And some of these legal entities have very deep pockets.
Unless the suggestion is that internet providers are all going to join together to stand up for the little guy? Somehow I'm not optimistic.
(Finally IPv6 has taken decades to get to where it is today. Somehow I don't see legally attributable IP traffic extension to be ready and deployed any faster)
The truth and tragedy of this is very clear to me. I am hoping this is something that will eventually be solved, but I don't expect it. These companies are on a burn-and-pillage rampage.
