> I'm thinking it might be some kind of reflection attack, though it's > unclear there's amplification for this kind of SYN traffic.
It's a low level of amplification, but for each SYN received you'll typically send back several SYN/ACKs. There's a thread about it on nanog: https://mailman.nanog.org/pipermail/nanog/2019-August/102713.html I've been seeing a similar pattern for weeks now. Continuous flows of inbound SYNs towards all of our publicly reachable TCP services, often from thousands of addresses within a single AS. It always comes in over the same transit provider.
