The author received an abuse report regarding potential security issues on their IP address, leading them to investigate a series of denied SSH connections from their server to random IPs. After thorough analysis, they discovered that their server wasn’t actually initiating the connections – instead, they were receiving TCP reset packets, likely the result of IP spoofing. This incident raised concerns about the lack of enforcement of BCP38, making it easy for malicious actors to flood innocent servers with abuse complaints. The attack doesn’t target Tor specifically but can impact any server. The article serves as a warning of the broken state of internet security and the need for better enforcement of rules.
https://delroth.net/posts/spoofed-mass-scan-abuse/