My (linux) server has some fairly simple iptables rules.
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport https -j ACCEPT
iptables -A INPUT -j LOG
iptables -A INPUT -j NFLOG
iptables -A INPUT -j DROP
ICMP goes unfiltered, but no other uncessessary connections allowed. The NFLOG rule just stores packets into a packet capture fule (pcap). Because syslog got quite spammy, i looked into the details of the packets.
tshark -V -a filesize:1 -r /scooby/doo.pcap (IPs & Ports [replaced])
Frame 1: 52 bytes on wire (416 bits), 52 bytes captured (416 bits)
Encapsulation type: Raw IP (7)
[Protocols in frame: raw:ip:gre:ip:udp:data]
Internet Protocol Version 4, Src: [incoming IP] ([incoming IP]), Dst: [my server IP] ([my server IP])
Version: 4
Header length: 20 bytes
Total Length: 52
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
Time to live: 52
Protocol: GRE (47)
Generic Routing Encapsulation (IP)
Flags and Version: 0x0000
Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: [not my IP1] ([not my IP1]), Dst: [not my IP2] ([not my IP2])
Version: 4
Header length: 20 bytes
Total Length: 28
Time to live: 64
Protocol: UDP (17)
User Datagram Protocol, Src Port: [random port1] ([random port1]), Dst Port: [random port2] ([random port2])
Length: 8
The unsolicited packets are mostly ip:gre:ip:udp packets. The volume of GRE packets - usually multiple per minute - greatly outweights other unsolicited packets (vulnerability scanners / spammers / port scanners). None of the IPs inside the GRE encapsulation have any special meaning to me, just various regular IPs belonging to (exclusively) US-based companies (so, not entirely random addresses).
Why would someone send those GRE packets?
Are there known DoS vulnerabilities related to GRE packets? Is this an attemt to fool misonfigured routers/servers into forwarding the encapsulated packets to their apparent destination? Does the sender try to gather information about the nature of potential GRE tunnels i may have setup?
Bonus: Is the most reasonable reaction really "-j DROP"-ing them?
According to Rick Wanner (ISC), such traffic was likely connected to the Mirai botnet. He commented on it here & here (thanks, @Aaron) As @Michal Hampton suspected, the addresses contained in the payload are a clue: they appear to match the pseudo random number generator contained in Mirai - though i have been unable to confirm this.
Brain Krebs says his website was downed at least to some degree through GRE spam. The reasoning behind sending GRE (ip/47) as opposed to more traditional DDoS methods is not obvious. Speculation on why GRE is used in DDoS: