I’ve noticed something new on my Debian Linux VPS. When I run “ss” or “netstat” with the appropriate parameters I find that there are a lot of IPv6 connections in the SYN-RECV state. This is something new.

The connections seem to all be to port 443 (my apache https port). They all seem to be IPv6 mapped IPv4 source addresses. If you geo lookup the IPv4 address, they map to Brazil. This has persisted over weeks maybe longer, and the IPs do shift over time especially the first and second components, the third seems to be in the 220-223 range, the fourth seems to be random, and the port seems random. The ones I’ve seen are all Brazil. It does not seem to be DDOS related as it causes no other issues I can see, and I see no evidence of intrusion. Just don’t like this new thing. Feels like some sort of scanning.

So any ideas of what this is, or what to do about it?