Vadim,
The case for ratio-based techniques is stronger as a means for a NOC
to detect a strange situation and investigate it than as a means to
automatically shut down an interface.
Note that, given your 'opposite direction' idea, I could shut down
service on campus 'A' by [1] logging into any host on campus 'A',
[2] launching an attack that might not be harmful in itself but which
would trigger the auto shutdown you advocate, and then [3] sitting
back and watch all of campus 'A' get shut down with the presumptive
blame focused on them.
It's still a denial of service attack. The problem is not with
detecting the ratio imbalance, but with simple deterministic response
to it. That determinism could be used by an attacker.
In sum, I like the idea of detecting the problem and rapidly tracing
it, but I'm skeptical about a totally automated response to it given
our current low level of experience with it.
-- Guy