Originally I wasn't going to, but I shall now as it's a continuing issue (> 20 GB in the last 24 hours! Possibly 30 GB) and this might help people block it. Or if there are any ziggo employees watching, they can tell the customer to knock it off. If I was paying for bandwidth per GB, I'd be quite irritated by this or even removing from the pool.
From the last full capture I made on March 17th, it was IP 18.104.22.168, with source port always 43172. Based on the traffic asymmetry in the graph in the first post, it may also be requesting daytime protocol on port 13/udp, but these are all rejected and weren't logged.
However, note that this resolves back to 5ED19EA2.cm-7-2c.dynamic.ziggo.nl, which suggests it might be consumer connection with an IP that won't be static if the client restarts their router etc. Hence the IP might have changed since and you might have to block an entire range.
The next time I catch it in progress I'll do a similar capture and see if the IP has changed.
Hope that helps.
Edit: as an aside: could known offending IPs be blocked at the pool level by blacklisting their initial DNS requests?