when some Client application connects to Hadoop service so this Client asks KDC each time it makes request to acceptor service. ex: hdfs dfs -ls /tmp
Also Hadoop service ask another Hadoop service (usually HTTP SPN) I don't know why but I guess it is some status request-response. ex. hdfs/host1@REALM for HTTP/host2@REALM
If I do thousands of request my KDC server goes mad for request amount.
I attempted to create my simple Java client and server application and during the stress-testing I got same KDC DDoS.
I checked Kerberos (GSS) mechanism in another server and application for example PostgreSQL server and psql client app and Apache Web server and curl. Both of them are written on C++. So I cannot configure JAAS config. Also I have to execute kinit each 24 hours for psql application when I get Ticket expired error. Those application create some ticket cache (klist) and re-use for each request.