True, but there's a scalability of ddos's (what is the plural of ddos). On a major corporate level for well known sites it will be as you say, but in my experience on the dedi's I've run small scale ddos - i.e. any spike in traffic that affects performance can be from anything like a few ip's running dictionary attacks on ssh/ftp to a single ip running a flood attack on http.
The action by the isp/host will depend very much on the nature of what's happening. No single cookie cutter solution. Suppose it depends on the definition of ddos!