18 May
2017
18 May
'17
3:03 a.m.
I'm currently blocking nearly 1000 high-volume inbound hosts (those that
sent amprgw more than 10,000 packets a minute at the times of sampling),
which may account for some of the change of traffic you're seeing get
through the router.
None of the gateways are on that block list, so that doesn't account
for the drop in inbound encap traffic.
I'm usually seeing around 20 million packets a minute (about 25 MB/s)
at the inbound interface. Your 10-15 packets a minute is an awfully
small amount to leak through. I must be doing a good job of filtering.
- Brian
On Thu, May 18, 2017 at 09:46:55AM +0300, Marius Petrescu wrote:
The volume did not change (some 10-15 packets per
minute), just the type.
I suspected at some point that there is a network using 44 addresses
internally, had some leaks on them and that the garbage (DNS replies, ICM
rejects, IP fragments and such stuff) were the replies from hosts on the
internet receiving that traffic and sending replies back via the ampr-gw.
These are gone at the moment.