block faked traffic

I have a customer that sells cheap VPS servers. The switch with his servers are connected directly to my edge router (we charge extra for this service). He regularly gets a customer who is using the VPS account to do some kind of amplified reply attack. They do this one or two ways. The latest was just using a fake source address (the victim I assume) with loads of requests going out to random IP’s. These are usually around 60mb of traffic but it soaks my the cpu on a routermaxx core2.

I am able to block this type of attack… after my alarms go off, by dropping traffic with that source address.

I am trying to find an efficient means to per-emptivly block the fake traffic. I was thinking to block invalid but do not know if this will have an effect
chain=forward action=drop connection-state=invalid but
any other ideas?

If you know the subnets that the VPS company assigns customer IP’s from you could just accept forward traffic only from these ranges resulting in the faked traffic being dropped aslong as it’s source IP is outside of the correct range?

Simple enough,

add action=accept chain=forward comment=“Customer Allow” disabled=no src-address=8.x.x.0/24
add action=drop chain=forward comment=“Customer Fake Deny” disabled=no in-interface=VLAN22-Customer