My server keeps getting TCP RST packets from Cloudflare Warp addresses

A few hours ago, I logged into my server by ssh through a mobile device with Cloudflare Warp activated. It was not the usual port 22, but a custom configured port. I did the thing I needed to do and logged out after a few minutes.

Since then that port has been getting storms of TCP RST packets from various Cloudflare Warp IPs. Each storm consisted of around 2000 RST packets (interleaved with a few SYN, ACK and FIN ACK), came from a few different Cloudflare IP addresses, and lasted around 5 minutes. Then it dies down for about half an hour to 2 hours, and another storm of RST packets hits again. This cycle has been going on 3 or 4 times.

My server typically don’t get this kind of unusual packets. I believe they are related to my having logged in through Cloudflare Warp this morning because: 1. all the IPs sending incoming RST packets are Cloudflare IPs; and 2. the port number is not one of the usual ports that always get probed.

Is there an explanation for this behaviour? While they don’t have a noticeable impact on my server’s operation, they do cause an alarm at the firewall logs.

To supplement: Just realised my firewall is set up in such a way that the first few TCP SYN packets are accepted with no logs, while subsequent packets are logged when considered suspicious enough. So in each case there was an influx of SYN packets preceding those RST packets. Still, the SYN packets from multiple Cloudflare Warp IPs are still inexplicable in the first place.

Hi! I’m the Engineering Manager at Cloudflare for the Argo Smart Routing project. I believe what you’re observing is the behavior of the integration of Smart Routing into Warp+. When a Warp+ user visits a new Internet destination, Argo Smart Routing’s control plane identifies the new origin (IP + port) and starts periodically creating TCP connections from each of our edge data centers to measure round-trip latency between the origin and Cloudflare. This lets us find the fastest paths between any Internet user and Internet origin using Warp+ with Smart Routing. Measuring periodically allows us to update our latency metrics and adjust our routes – performance on the Internet is constantly changing!

It sounds like the RST packets are explainable by your firewall configuration, but if not please let me know. That’s not expected behavior on our side, and if we are inducing that I’d like to connect with you to learn more and see how we can resolve the issue.

We’re always looking for product feedback, so please feel free to share your ideas and experience with us so we can make our products better for you and the millions of other Internet users and origin owners benefitting from the performance improvements of Warp+!

Nick Wondra
Engineering Manager
Cloudflare

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.