You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on
your cores. Deny ICMP from critical portions of your network. Create a
little script which tail -fs the log, parses it, sorts it and counts it.
If the script counts more then xxx hits on a certain IP or a certain
number of IPs on your network from the same source or a multiple sources
on the same network, you have your upstream. Once you have them, you can
call them and ask them to do the same until you find the real source.