Is Cloudflare abusing my SSH?

Hello!

Everyone knowns Cloudflare and its DDoS protection service. But recently I have observed strange traffic comming from 8.0.0.0/9 at my endlessh logs.

When looked more closely, I was surprised - all those probes was from AS13335 (Cloudflare, 164 /24 subnets). I could not imagine any legitimate scenarios for such abusive probing (this is not simple SYN scan, but full 3-way handshake and attempt to establish SSH connection, like when bots bruteforcing credentials). I have tried to report abuse to abuse [@] centurylinkservices [.] net and abuse [@] cloudflare [.] com, even via form on their website, but no answer was received besides automatic replies like “Due to the pass-through nature of our services, our IP addresses appear in WHOIS and DNS records for websites using Cloudflare.

I have sent them multiple pcap dumps and logs from honeypots, including link to the blocklist.de, but they just ignore me. This is why this blog post is being written. Maybe public attention will uncover the truth and desired goals of Cloudflare.

Logs

I have captured traffic with a sudo tcpdump -w cf-22-syn.pcap -nni eth0 'tcp and port 22 and net 8.0.0.0/9 and tcp[tcpflags] & (tcp-syn) != 0'. Short summary of packets with SYN flag set:

2021-09-23 20:22:45.148943 IP 8.30.234.23.60145 > 51.75.150.xxx.22: Flags [S], seq 3288285390, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:27:09.994445 IP 8.37.43.232.54209 > 51.195.121.xxx.22: Flags [SEW], seq 3455356402, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:27:10.811575 IP 8.37.43.232.54209 > 51.195.121.xxx.22: Flags [S], seq 3455356402, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:27:10.811655 IP 51.195.121.xxx.22 > 8.37.43.232.54209: Flags [S.], seq 2956982849, ack 3455356403, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-09-23 20:35:08.402642 IP 8.30.234.23.55058 > 51.195.121.xxx.22: Flags [SEW], seq 3044135397, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:35:09.242116 IP 8.30.234.23.55058 > 51.195.121.xxx.22: Flags [S], seq 3044135397, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:35:09.242223 IP 51.195.121.xxx.22 > 8.30.234.23.55058: Flags [S.], seq 4274772986, ack 3044135398, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-09-23 20:43:37.840176 IP 8.37.43.232.59263 > 51.195.121.xxx.22: Flags [SEW], seq 2884062547, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:43:40.855381 IP 8.37.43.232.59263 > 51.195.121.xxx.22: Flags [SEW], seq 2884062547, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:43:41.668022 IP 8.37.43.232.59263 > 51.195.121.xxx.22: Flags [S], seq 2884062547, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 20:43:41.668123 IP 51.195.121.xxx.22 > 8.37.43.232.59263: Flags [S.], seq 3485232279, ack 2884062548, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-09-23 21:26:48.807815 IP 8.21.11.96.58511 > 51.195.121.xxx.22: Flags [SEW], seq 1269935758, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 21:26:49.618353 IP 8.21.11.96.58511 > 51.195.121.xxx.22: Flags [S], seq 1269935758, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 21:26:49.618489 IP 51.195.121.xxx.22 > 8.21.11.96.58511: Flags [S.], seq 1502906346, ack 1269935759, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-09-23 21:28:57.658573 IP 8.30.234.23.53953 > 51.75.150.xxx.22: Flags [SEW], seq 2818213579, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 21:29:00.735690 IP 8.30.234.23.53953 > 51.75.150.xxx.22: Flags [SEW], seq 2818213579, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 21:29:06.735422 IP 8.30.234.23.53953 > 51.75.150.xxx.22: Flags [S], seq 2818213579, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
2021-09-23 21:33:21.648478 IP 8.30.234.23.63846 > 51.195.121.xxx.22: Flags [SEW], seq 315427065, win 64860, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0

You can see full PCAP here: https://encryp.ch/bin/d6fe15f1dd4ff881d6bbc0cc497e2df80c824576cc1b425944123539e05385e7/cf-22-syn.pcap.gz.

PCAP with entire connection capture: https://encryp.ch/bin/1ba9392bb56540a62280b040bd3b09c7f3c56c7e0f6c9c1bb42ae3e5aa0daa5d/cf-22-all.pcap.gz.

Both files are compressed, but Wireshark could open them even without additional decompression.