Simon Lockhart wrote:
Has anyone else come up against the problem, and/or have any suggestions on
how best to resolve it?
The best solution is to have a common practice on a set of public
port numbers assigned to a host behind NAT.
For example, with a practice that, if a port in a range between N*8
and N*8+7 is assigned to a host, other ports in the range is not
assigned to other hosts, service providers can block packets
based on IP addresses and ranges, especially if correspondence between
hosts and ranges are rather stable.
But, it may be too late to make such practice common, I'm afraid.
Or, wait for a while until service providers receive enough amount
of feedback from innocent users. To accelerate it, you can make
correspondence between hosts and public addresses not so stable,
which makes almost all your IP addresses marked bad quickly,
which may make you loss some customer, unless other ISPs also do so.