Just some data points: in the last 16 hours, the firewall on amprgw has dropped over 43 million attempts to connect to the implicated ports: 623,664,16992,16993,16994,16995. We've also dropped about 2 billion attempts to connect to the other SMB ports: 111,135-139,445, etc.
This is AFTER having already dropped all packets from known 'security' scanners like shodan, which therefore aren't counted in those totals. We've dropped 63 million of those.
But by far, the most popular inbound is attempts to connect to the telnet port (23) on amprnet hosts; we've dropped 6 billion of those.
And we've dropped another 7 billion other packets that were destined for other ports on non-registered amprnet addresses. I don't have details of which ports these are, but I know that port 80 (http) is one of them.
At 25 MB/s inbound traffic, receiving packets and filtering them is taking about 10-12% of the machine, leaving it around 85% idle. The DNS nameserver accounts for about 2% of the load. The encap/decap process resource consumption is negligible. It spends about 95% of its time waiting for packets. - Brian