Just c+p an idea I was kicking round on the TOG forums:
My 2c: A registration app. It runs and connects to one of 50 different IP addresses (using a shared algo to choose which one), it then authenticates with this mini server and adds your IP address to an upstream IP filter hosted by the ISP. This then allows you to login and not have your IP address blocked by the ISP.
In order to attack the game or login server the botnet would need to have all it's IPs registered and so reveal all the compromised computers, or all its traffic would be blocked by the ISP whitelist filter. It also prevents the randomised IP address commonly used in these types of attacks. If the attacker instead targets the mini authentication server, then the attack will only prevent people with a new IP address from registering, and only for the brief period of time that the login app is using that IP. Once it changes to a different server IP (remember it rotates around 50 different addresses) the registration will work again. The only effective attack is to block all 50 addresses, at which point you simply update the registration app with a different 50 IP addresses.
This would stop the attack from affecting anyone at home (ISP already known), and anyone already online (registration server is not the game server). The only people that could still be affected would be people with a new IP address which need to get it registered. In order to take down the registration servers would need 50 to 100* the size of the network of bots to achieve the same effect, and load on the registration server would have no impact on the actual game server/connections anyway.
