[tyingq]

His dump of packets shows an MSS of 1380 versus the more common default 1460, which sounds like it's coming from something with tunneled traffic. MSS 1380 would correspond to a source MTU of 1420, which is a typical default for a GRE tunnel in IPv4sec Tunnel mode. Pretty sure that's what WARP is.

[jpgvm]

WARP is Wireguard but yeah, otherwise this is pretty much on point. Traffic is tunneled, likely just a random WARP user abusing Cloudflares free VPN service to do some scanning.

[tyingq]

Ah, okay. Google searches suggests the default MTU on Wireguard is also 1420, which would produce an MSS of 1380. So that makes sense.