I’m glad this thread is getting back to exploring options and solutions …. One recommendation every ISP needs to consider is subscribing to the Shadowserver Foundation’s daily reports. That reporting gives you data on your customer infection rate from the wide range of sources fed into Shadowserver. When you ask to subscribe, ask for multiple reprints - where you get the ASN report, then a IP report on your core network infrastructure, and a separate IP report on your customer IP blocks. That makes it easier to work with the risk profile from your infected customers. Finally, once of the ways you can feed in data into Shadowserver is through their DDoS Reputation API. Organizations who are attacked, can use the API to query the source IPs of the attack and find out details Shadowserver has on the IPs. That DDoS instance is then added to the telemetry. That is then delivered to the ISPs who subscribe to Shadowserver to let them know their infected customers are being used for attacks. So If you have an Anti-DDoS provider, ask them if they are using the Shadowserver DDoS Reputation API. That helps the “small ISPs” get details on which infected customers are being used by the miscreants.