@Larvitz One of the "hidden" problems I run into on cloud servers is half open SYN attacks on port 80. Disparate providers and regions, no connections between servers I'm running.
For whatever reasons, it appears the Brazilian telco systems are... compromised? (not sure) - I'm up to 33 .br subnets (/19 to /22 size) having been dropped for targeting all my random servers with port 80 SYN floods. The process is currently manual - when on a server, look at `ss -tn` then cull subnets out of whois.