The case for ratio-based techniques is stronger as a means for a NOC
to detect a strange situation and investigate it than as a means to
automatically shut down an interface.
Note that, given your 'opposite direction' idea, I could shut down
service on campus 'A' by  logging into any host on campus 'A',
 launching an attack that might not be harmful in itself but which
would trigger the auto shutdown you advocate, and then  sitting
back and watch all of campus 'A' get shut down with the presumptive
blame focused on them.
It's still a denial of service attack. The problem is not with
detecting the ratio imbalance, but with simple deterministic response
to it. That determinism could be used by an attacker.
In sum, I like the idea of detecting the problem and rapidly tracing
it, but I'm skeptical about a totally automated response to it given
our current low level of experience with it.