From http://www.nsc.liu.se/~nixon/sshprobes.html "So, to more precisely describe what we have found: a small subset of the ssh logins from Chinese IPs to two of our systems are preceded by one or two connections from unrelated Chinese IP addresses, in which opaque binary data is thrown at sshd." "My hypothesis is that just over a year ago, a new function in the firewall went into limited beta test, where a sample of outgoing ssh connections from China is carefully selected for secondary screening.""For the selected ssh connections, the target system is probed from one or two IP addresses under the control of the Chinese government. These may be otherwise innocent addresses that are spoofed at the level of the great firewall, or they may be actual computers under remote control by the government - I have no way to tell.""In some cases, the legitimate ssh connections are unsuccessful; they appear to be interrupted. This may be a result of the firewall deciding the target system to be unsuitable and injecting RST packets into the TCP stream to kill it.

The last few weeks, the frequency of the probing has increased. This might mean the beta test period is nearing its end, and that this function is about to become more widely deployed."