It should be perhaps remarked that deep packet ispection features are already a standard
feature of firewalls. I assume you *do* have a firewall with stateful inspection features
infront of your linux box and it does drop at least some incoming attack traffic. This
involves looking at more than the just the IP header, which is normally sufficient to route
the packet (modulo NAT).
If you want interesting throtling features then vanilla linux kernels do have optional policy
routing which can do that too. I suspect some readers might have implemented a transparent
HTTP proxy which clearly constitutes a man in the middle.
Anything like a NebuAd trial would be a powerful reason for me to use another ISP. I do not
exist to be fed advertising, period.