Anything I explicitly drop I do so in the raw table to keep them out of the state table. The state table is more CPU expensive especially at high packet rates and runs the risk of depleting the default state table limits especially for anything that now has a broken state on purpose like these poor lil bots. Since I brought it up, here is how to increase the state table limits.
# from /etc/sysctl.conf: increase state table limits.
# Requires 1/4 mem to hash table plus 400 overhead because I am the cargo culting king:
# cat /etc/modprobe.d/nf_conntrack.conf
# options nf_conntrack expect_hashsize=256400 hashsize=256400
net.nf_conntrack_max = 1024000
Should people use default state table memory allocations on a busy node, everyone can be locked out of it regardless of how many TB of RAM are free. The node can appear "down".
