It could be easily solved by the operator, but that doesn't mean it's easy for the victims to get the operators to fix their stuff. These amplifiers are already run by people who ignored the software manufacturer's directions. What are the odds they will actually install the new version that's harder to abuse?
Usually[0] contacting the operator's ISP and informing them of the situation will get said ISP to contact said operator. All that outbound traffic does represent a cost to the ISP, after all. A call from your ISP usually gets a bit more respect than a call from some random person.
In the past what usually happens is the ISP disconnects you until you prove you've fixed whatever it was (sometimes they're nice and block just part of the connection, or give you a warning).
Surprisingly enough, the ISP often has no real way of contacting anyone; the easiest is to cut the connection and wait for a complaint.
Yep. Sad but true. Nobody bothers to keep their contact info up to date with their ISP it seems. Non-critical stuff sometimes can be mailed to a customer's service address, but often disconnecting someone is all an ISP can do to make them aware they have a problem.
It really depends on the ISP. After spending some time trying to get phishing sources taken down and not getting anywhere, I wouldn't be hopeful about DDoS (reflection) sources being taken down either. When I was running servers that were getting DDoSed frequently (but thankfully for short intervals and not with tons of bandwidth), trying to get chargen servers or wordpress servers fixed didn't even seem like an option. Just make sure my servers wouldn't fall over, or at least would fall over gracefully.
