Simon Lockhart wrote:
Has anyone else come up against the problem, and/or have any suggestions on how best to resolve it?
The best solution is to have a common practice on a set of public port numbers assigned to a host behind NAT. For example, with a practice that, if a port in a range between N*8 and N*8+7 is assigned to a host, other ports in the range is not assigned to other hosts, service providers can block packets based on IP addresses and ranges, especially if correspondence between hosts and ranges are rather stable. But, it may be too late to make such practice common, I'm afraid. Or, wait for a while until service providers receive enough amount of feedback from innocent users. To accelerate it, you can make correspondence between hosts and public addresses not so stable, which makes almost all your IP addresses marked bad quickly, which may make you loss some customer, unless other ISPs also do so. Masataka Ohta