I may be on the wrong track but here's my thoughts:
- People who buy big pipes are expected to have large amounts of traffic (why else pay such a large chunk of money)
- However, the difference between a lot of people visiting a site and a site spamming a lot of blogs/wikis/guest books is the direction of the traffic.
- This difference in direction can be detected via the TCP handshake. In other words, the SYN, SYN/ACK, ACK sequence.
- Thousands (millions?) of SYN packets towards a web site (with unique IPs) means one of two things: lots of visitors or a possible botnet attack (which we're not discussing at the moment).
- Thousands (millions?) of SYN (no ACK) packets from a site, to hundreds or thousands of packets to other web sites)(unique IPs not requried) means that the ISP's customer is either Google or is doing something worth investigating further.
Detecting this sort of thing should be relatively easy. Has anyone tried this? Willing to try it?