I may be missing something, but could those of you who want to track/identify these connections please tell me how to do it? Are they supposed to be using a small fixes set of well understood protocols? I thought not. Also any of these connections can be encrypted, right? I think this approach is essentially hopeless. It seems to me the only real solution is to know what are the "real" services that you want to support and classify everything else as junk. You can tell the people in your network that you're doing this and they can tell you what servers on what machines they want you to add to the "real" class. Probably you want to use something like ESFQ to share the junk bandwidth.
