I run a server currently in the Netherlands zone and see a roughly twice-daily 30 minute spike of traffic from a single IPv4 address within ziggo.nl, with a constant source port that is not 123. The packets are unusually formatted, with almost all fields zeroed exept the transmit timestamp, according to tcpdump.
An image of the network throughput of such a spike is attached, showing a very sharp ramp up/down and the end after almost exactly 30 mins, suggesting this is a single client caching the DNS record? At its peak it is around 30 Mbps or 40 Kpps, which is well above the normal ~1 Kpps rate seen in the zone. Normally this sort of throughput shouldn’t be an issue as the server is set as 1 Gbps for the NTP pool, but as this traffic is quite peculiar it has occasionally tripped some rather too sensitive anti-DDOS measures and subsequently impacted other services on the same machine that try to use UDP (i.e any DNS).
Is anybody else in the zone seeing similar behaviour and is there a protocol for contacting companies that may be originating such traffic? Simply dropping, rejecting or KoD’ing the traffic doesn’t have any noticable impact on the inbound rate, suggesting a poorly behaving client implementation. The only other reference to the IP in question online appears to be a drop rule in someone elses firewall config.