I looked at his screen and pointed out those packets were coming from his computer. Whoops. Turns out he'd forwarded a port through the NAT to his desktop, his desktop had had a "test" account from way back, and some IRC kids from Italy (?) had figured this out. Double whoops. At least the DoS mystery is solved.
I stuck my Ruby NAT-PMP library into version control to check in simple program for ssh "knocking". The idea is that you send a UDP packet to a special port to get the real ssh forwarded port open. So now there are no "open" ports, in that you don't get any response to your UDP "knock". It's easy to imagine more complicated variations on this (like sending a pre-password "open sesame" bit in the UDP packet so that an attacker couldn't just spray UDP at the machine and then port-scan TCP), but that's expecting a lot out of people.
Does anyone know how to get netcat to send a UDP packet and quit? The "-z" option sends two for some reason, while "echo foo | nc ..." has to be ctl-C'd to quit.