It's not that hard to write a script that temporarily points a static route
for an unregistered address at each of the machines at a meet point. By
tracerouting to that address you can detect if someone is pointing default at
you.
The script does not have to be a very CPU intensive operation, and if it is
run once a day, it ought to provide a fairly good clue as to whether or not
someone is abusing your network.
I would like to stay away from port filtering except as a last resort. I think
that there are far too many unforeseen problems and complications in debugging.
And for better or worse it would require the removal of all third party
routing which I would guess is pretty common at the Mae's.
Scott Blandford
IBM Global Network