Fuzz, Numbers

[Hal Murray]

> there are not only DDoS amplifier. I see many dumb queries with 0.3-2  second
> interval. Looks like sources located behind NAT, does not NAT'ed  correctly
> and does not recieve my answers. Or just it have "broken" ntp  client. Or
> DDoS reflection attack. It still exists by simple queries  with spoofed
> source ip. One of my clients sometimes gets such flood at  5-10Gbit/s. 

I've seen a few piggy clients where whois indicates that it is likely to be a 
NAT box.  One was a hotel, the other was an ISP block labeled DHCP clients.  
They have been piggy, but at least sane.

I've seen a few others that seemed more like DDoS redirections but no hard 
evidence.


> Looks like MRU reduce reply rate to this queries by 20-25%. I typically  have
> 4kpps input and 3-3.2kpps output on server. 

Is the CPU saturated?  If not, there should be some counter that indicates why 
the packet didn't generate a response.  (It wouldn't surprise me if there are 
missing cases, but if we find any, I'll fix that.)


-- 
These are my opinions.  I hate spam.