Peace,
If this endpoint doesn't connect to anything outside of their network, then yes.
If it does though, the design of the filter might become more complicated.
Not really... just requires sorting by volume. Turns out most legitimate hosts don't send high-volume syn packets. ;)
This is a good *detection* technique, but you cannot filter by volume in transit if the set of destinations is large (and random) enough, and you don't have a time machine. Not sure if this is the case but might as well be.
As for the detection of the real source, everything is technically possible but you need certain bargaining power which a medium-sized (at best) VPN service probably doesn't have.
--
Töma