On second thought, state searches themselves are easy. They can be done in parallel. The inserts and removals, however, may be trickier. I read in an ancient article that on OpenBSD the states are stored in an AVL tree, a balanced binary search tree. If the situation is still similar, maintaining the states may become a bottleneck. It may be possible to update or search different tree branches at the same time, but it will require some sort of costly locking and synchronization.
If there is too much congestion waiting for a lock to the state tree, the kernel may think “I don’t have time to sort out this packet, I’ll just drop it. The sender will retry if it was important.” This might show up in network stack statistics. Maybe see “netstat -s | grep -i drop” ?
As for the forged source IP address for NTP queries, well, it is possible but nowadays that scenario is less likely. I wonder what kind of “evidence” Hetzner provided. If it’s ICMP packets saying “udp port xxx at host yyy unreachable”, it’s possibly just broken NAT near the client. Not intentional abuse but bad configuration. I see this all the time on my servers serving the SG and CN zones.
I kept wondering about the 198045 echo requests you sent to my temporary server and the 198045 responses my server sent back, because at the same time there was certainly packet loss when pinging to the other direction. But then it hit me – it’s those connection states again.
You most probably pinged my temp server at the normal 1 second intervals, but my usual ping testing does the same at only 10 second intervals. With 1 second intervals the connection state does not expire, but it might with a 10 second interval. Meaning that every 10 seconds the state would need to be re-established and subsequently pruned.
To test this theory I set up additional testing using ping with a 1 second interval to your server. I’m pinging from two different servers at UpCloud’s Singapore DC:
10 second interval, 1 second interval
As should be clear from the graphs, pinging with 1 second intervals fares much better. If you want to reproduce the 10 second interval pings, this is the script that I use in my MRTG setup:
#!/bin/sh
PING="/bin/ping"
ADDR=$1
while true
do
DATA=`$PING -n -c30 -i10 $ADDR -q | sed 's/+1 errors, //'`
LOSS=`echo $DATA | awk '{print $18 * 10 }' | tr -d %`
echo $LOSS
if [ $LOSS = 1000 ]
then
echo 0
else
echo $DATA | awk -F/ '{print $5 * 10 }'
fi
sleep 10
done
You should be able to reproduce the results from pretty much anywhere with this script.
Maybe this is finally enough evidence for you to consider getting rid of tracking connection states for NTP requests 