Since I moved my DNS records to Cloudflare (that is: nameserver is now the one from Cloudflare), I get tons of odd connections, most notably SYN packets to eihter 443 or 22, which never respond back after the SYN-ACK. They ping me once a second in average, distributing the IPs over a /24 network.
I really don't understand why they do this, and it's mostly some shady origins, like vps game server hoster from Brazil and so on.
I'm at the point where i capture all the traffic and looks for SYN packets, check the RDAP records for them to decide if I then drop the entire subnets of that organization, whitelisting things like Google.
Digital Ocean is notoriously a source of bad traffic, they just don't care at all.
These are spoofed packets for SYNACK reflection attacks. Your response traffic goes to the victim, and since network stacks are usually configured to retry SYNACK a few times, they also get amplification out of it
There is a solution to that, but it requires these companies to implement source address validation. If your ISP is on the list, maybe complain about it.
> like vps game server hoster from Brazil and so on.
Probably someone DDoSing a Minecraft server or something.
People in games do this where they DDoS each other. You can get access to a DDoS panel for as little as $5 a month.
Some providers allow for spoofing the src ip, that's how they do these reflection attacks. So you're not actually dropping the sender of these packets, but the victims.
Consider turning reverse path filter to strict as a basic anti spoofing method and see if it helps
How does rp_filter on the server side help at all? For a cloud server with a single interface it literally does nothing. Maybe I'm misunderstanding your suggestion.
No but your electricity company will absolutely rat you out if your electricity usage skyrockets and the police will pop by to see if you’re running a grow op or something.
I really don't understand why they do this, and it's mostly some shady origins, like vps game server hoster from Brazil and so on.
I'm at the point where i capture all the traffic and looks for SYN packets, check the RDAP records for them to decide if I then drop the entire subnets of that organization, whitelisting things like Google.
Digital Ocean is notoriously a source of bad traffic, they just don't care at all.