Yes, it's subsided quite a bit. The amprgw machine is only spending less than 15% of its processor time filtering packets, vs over 25% earlier and on the weekend. Perhaps posting my filter script/program was another fine example of closing the barn door after the horse has bolted.
Well it may come back anytime of course... The strange thing is that I see no peak at all in the traffic graphs made over the past days and weeks, and there have been much higher peaks in the past. But maybe you just were not looking at that time... (a couple of weeks we also experienced a DDoS attack that had several orders of magnitude more traffic)
I have done some tracing in the past to identify the most obvious problems and I can understand that you become more and more worried when studying the problem. As you well know, it consists of both attempts to hack the systems and of backscatter from attempts to attack others using spoofed source addresses.
Just now, it took 287 seconds to gather 100 million packets, comprising 7100 different source addresses. This is rather more than usual. The blocking table now contains 18,000 entries.
I have a static blocking table that has the addresses of shodan.io and other miscreants of this world, and the "research institutes" that consider it research to scan other people's networks to map out vulnerabilities etc. That includes 169.228.66.91 and 169.228.66.138 but there are lots of others so no need to get worried. I do not bother to block the scattered Chinese addresses that do only telnet scanning, for that purpose I have put a rate limiter in the firewall that limits the number of unanswered SYN requests per source address using the "recent" matching module of iptables.
Rob