Death of the Internet, Film at 11

One way to deal with this would be for ISP's to purchase DoS attacks
against their own servers (not necessarially hosted on your own
network) then look at which connections from their network attacking
these machines then quarantine these connections after a delay
period so that attacks can't be corollated with quarantine actions

This doesn't require a ISP to attempt to break into a customers
machine to identify them. It may take several runs to identify
most of the connections associated with a DoS provider.

Josh Reynolds writes:

And then what?

They get in someone to clean up their network. When they say it
is clean you reconnect them. If this happens more often than once
a year you charge them a months fees per additional incident. Have
the year timer start when reconnect is requested. You give them
what data you have to backup the claim.