Blocking the traffic upstream sure would be nice, its like a zoo out there!
I had those brute force ssh attacks too within 2 days of going online if I remember correctly. Changing the default port to a much higher one fixed that quick.
For now I've added a rule to drop all access besides the IP I use to access my server; and incoming traffic on my public interface has come down to about 4 Mbytes an hour. Its been going down gradually to 4Mb so looks like bot farms are loosing interest.
But I still need to run my httpd on port 80, and unblock it one day .. and spammers know it.
Before I go public again with my port 80, I'll either subscribe to an ip blacklist, or install fail2ban, or both!
Cheers, and thanks for the sanity check business_kid