Correct. Very little that can be done if they simply flood the connection, even if the WAN IP is advertised by the LAN, outbound. Identifying that specific traffic signature is going to be tough. Even as an ISP we have to test in a controlled environment to identify it. Then trying to auto mitigate it is even tougher to do without affecting legit traffic. As an ISP it's a problem as it can annihilate capacity at times, although we've managed it on our end. So we're working very closely with IS behind the scenes to try to finalise a solution, but source, ports and bandwidth keep changing. So refining and testing rules on auto mitigation is quite a process for what amounts to relatively small bandwidth. Abuse reports have been sent with clear evidence but no response from the hosts yet. There are also weird and rather sneaky malicious apps posing as legit and serving at least one legit purpose, that we've discovered of late call to very specific, local SIP providers. And attempt to break in using your device and botnet a dos attack. Also shares any successful auth with other instances across networks. Vital to get decent security on your network, especially for capped customers. We quite simply don't log the traffic no matter what anyone claims, so it's difficult for us to pinpoint what bandwidth was used for what services at selected times other than educated guesses and post processing heuristics. Time consuming and frustrating...