A few hours ago, I logged into my server by ssh through a mobile device with Cloudflare Warp activated. It was not the usual port 22, but a custom configured port. I did the thing I needed to do and logged out after a few minutes.
Since then that port has been getting storms of TCP RST packets from various Cloudflare Warp IPs. Each storm consisted of around 2000 RST packets (interleaved with a few SYN, ACK and FIN ACK), came from a few different Cloudflare IP addresses, and lasted around 5 minutes. Then it dies down for about half an hour to 2 hours, and another storm of RST packets hits again. This cycle has been going on 3 or 4 times.
My server typically don’t get this kind of unusual packets. I believe they are related to my having logged in through Cloudflare Warp this morning because: 1. all the IPs sending incoming RST packets are Cloudflare IPs; and 2. the port number is not one of the usual ports that always get probed.
Is there an explanation for this behaviour? While they don’t have a noticeable impact on my server’s operation, they do cause an alarm at the firewall logs.