Tracking ingress/egress traffic

Attribution to origin IP is not easy esp when going through the WWW. For HTTP, there is X-Forwarder-For that proxy may insert on the origin sender IP, but it can be tamper as well, likewise for email header where there is trail of the sender going via the various SMTP relays. If the source IP keep varying in running no of ranges, various geo-located based IP and blacklisted IP, they may be bot or botnets attempting to DDoS your online asset.

Specific to PAN and network packet, there is session tracker stats but more probably can reveal what the surce is attempting during various session like DDoS, or port knocking, device scanning/fingerprinting, exfiltration etc...it is not obvious esp when traffic is so high and intermittent or short lived.

Maybe is to explore other Cyber threat intelligence capability (or most commonly known as "Threat Intelligence Platform") such as ThreatStream, ThreatConnect, Norse IPViking services..the latter is a live map but good to catch a summary list of equivalent services here which depict even open community provider etc

Hence, expanding beyond just ISP, may even consider reporting to authority like ICANN or equivalent support group though I am not sure how timely they are compared to ISP.

...In many cases, your hosting provider or your Internet access provider should act on your behalf (and in self-interest). They will contact “upstream” providers and the ISPs that route traffic from the DDoS attack sources to notify these operators of the nature and suspected origins of the attack. These operators will investigate and will typically revoke routes or take other measures to squelch or discard traffic close to the source.

...If you cannot find contacts, or if the contacts you find are unresponsive, try contacting a Computer Incident, Emergency, or Security Incident Response Team (CERT/CIRT/CSIRT), or a Trusted Introducer (TI) team. CERT/CIRT organizations (find a national list here) or TI teams will investigate an attack, notify and share information with hosting providers or ISPs whose resources are being used to conduct the attack, and work with all affected parties to coordinate an effective mitigation.

....Contact law enforcement to report a crime, not to mitigate an attack. DDoS attacks are criminal acts in many jurisdictions. By filing a report, you and other victims provide valuable information that may be relevant in any subsequent investigation or prosecution of the attackers.

Other aspect, I am wondering if the IP (non-Nat-ed) has any WhoIs records and reputation records from Domain Dossier by throwing in the IP as input to the online service (listing out the WhoIs, Ip traces etc). From there minimally see who register and own this IP range.The more effort needed if you are going to sinkhole this consistent source IP adn try to understand what is going to do and kind of running a honeynet and inserting honey token for attribution traces to be formed w/o the source knowing ... that is not easy.