OK. When you said "do this from BGP data" I didn't assume you'd be
tossing out the next-hop and just keeing the interface. Although I
suppose a bitmap with a bit per active ARP entry could be used too (as
long as ARP entries could be keep a slot reserved after they expire
until all routes using the ARP entry are changed, which shouldn't be
long or there is a problem).
Basing this on the AdjRibIn is a more work than just reversing the
sense of the Fib but it does cover quite a few more cases. Though not
all of them.
The transit providers still need to be able to trace attacks after the
fact since there is no filter that covers these cases and filters at
the fringes will be spotty deplomyments.
Curtis