DoS against ISP: what is "normal?"

[Robert Inder <robert () interactive co uk>]

One of our clients has a server colocated at a local ISP.

Unfortunately, the ISP has suffered from two or three DoS attacks this year.

These incidents have caused severe disruption, rendering the server
(and indeed the entire ISP's network) inaccessible (continuously or
intermittendly) for several hours while the ISP and their upstream
providers have worked to put filters in place.  Service has been
crippled for somewhere between 12 and 20 hours in all.

Our client has raised the possibility of moving to another ISP, and
I'm not sure what to say.  

The ISP's staff are accessible and generally seem organised and
competent.  For the most part we are very happy with their service,
and until these attacks we'd have certainly recommended them.

So there is a great deal of scope for jumping out of the frying pan
into the fire. 

I've tried searching for information on what would be a "typical"
level of disruption for a small-to-medium ISP, but couldn't find
anything.

Can someone point me at any relevant statistics or surveys?

Is a major DoS attack every few months par for the course these days?
Or a sign that someone has really got it in for these guys?

Is it reasonable for them to take "a few hours" to bring such an
incident under control, or does this suggest there is something wrong?

Comments?  Suggestions?

Robert.

--
Robert Inder         Interactive Information,     07770 30 40 52 (general)
07808 492 213        3, Lauriston Gardens,        0131 229 1052  (fax)
                     Edinburgh EH3 9HH
                     SCOTLAND UK