[zinekeller]

Update: they apparently also have a paid product called "Cloudflare for Teams", which also uses the same infrastructure and are targeted for companies. Probably the reason they don't block out SSH is that companies do want SSH access - but I'm pretty sure that RDP access would be higher on the list.

My friend working in an ISP has cleared the mystery for me - it's Cloudflare's Warp product (a semi-VPN (in the "teleport to other countries" sense, not the original definition)), which can be used for free, and I'm not shocked that it is being abused. Cloudflare has also categorically denied that their Worker product allows SSH connections - it is simply not designed for that, apparently.

So I don't know how to respond to this specifically except that I didn't know Cloudflare offers a VPN (apparently a limited knocked-down one though) and I'm pretty sure that other people in other ASes scan the default SSH port - in fact, I see more and more scans from ASes of cloud providers than residential ASes, whereas five years ago I mainly saw Chinese and Brazilian residential ISPs. This is why I often move the SSH port - it's not that it improves my security posture, just so that the noise in the logs are minimised.

[kentonv]

> Cloudflare has also categorically denied that their Worker product allows SSH connections - it is simply not designed for that, apparently.

Hi, I'm the tech lead of Workers, so I'll clarify.

At present, Workers can only generate HTTP traffic, because the only API we've given Workers for network communications is `fetch()`, which is HTTP-specific. This similar to how in-browser JavaScript today cannot open arbitrary TCP connections, because there's no API for it. It's likely we'll add an API for arbitrary TCP eventually, but at the moment it's not possible that this traffic comes from Workers.

(As far as where it did come from, I don't have any internal knowledge, but WARP traffic (that's our VPN-like service) seems like an obvious explanation to me.)

[tyingq]

His dump of packets shows an MSS of 1380 versus the more common default 1460, which sounds like it's coming from something with tunneled traffic. MSS 1380 would correspond to a source MTU of 1420, which is a typical default for a GRE tunnel in IPv4sec Tunnel mode. Pretty sure that's what WARP is.

[jpgvm]

WARP is Wireguard but yeah, otherwise this is pretty much on point. Traffic is tunneled, likely just a random WARP user abusing Cloudflares free VPN service to do some scanning.

[tyingq]

Ah, okay. Google searches suggests the default MTU on Wireguard is also 1420, which would produce an MSS of 1380. So that makes sense.

[userbinator]

a semi-VPN (in the "teleport to other countries" sense, not the original definition)

It's weird how the "VPN providers" have taken that acronym and turned it into what is basically another synonym for "proxy".

[TechBro8615]

FYI the WARP VPN is _not anonymizing_ and doesn’t claim to be. If you connect through WARP to a website behind Cloudflare, they will include your real IP in a header.

The main point of WARP is to circumvent ISP traffic shaping (which works quite well btw).

[zinekeller]

I mean, I just learned about Warp because of this, so if there are misunderstandings that my friend didn't think to clarify (probably because she thought that I already knew Warp), then apologies. The HN edit clock has since been long-expired, so I cannot add corrections about this.