[nonamesleft]

A lot of these seem to use zmap (https://github.com/zmap/zmap) or masscan (https://github.com/robertdavidgraham/masscan) for the initial scan.

Often with default parameters such as zmap setting ip id to 54321, having tcp initial window at 65535, having no SACK bit set and masscan with no SACK bit either, tcp initial window at 1024, tcp maximum segment size 1460 (which is strange to put below initial window size!), (older versions having fixed src port 61000 or 60000 from documentation examples and no MSS set), all of which are extremly uncommon in legitimate traffic and thus easily identified.

Even those so called "legitimate" scanners (emphasis on the "") seem to use these tools with little or no extra configuration.

With this setup the last time my high-port ssh (key-only) has got an attempt on it was 2023-07-26 (previous intruders get permanently firewalled).