> Good. That to me looks like a good TCP sequence, however there is one packet > missing - the ACK response from "mydomain" to 24.33.232.227 in response to > the FIN-ACK sent by 24.33.232.227 in packet number 1488. Until this missing > response is seen by netfilter, it will regard that connection as being in the > TIME_WAIT state, however this will expire after 2 minutes. yep strange ... for many sequences it's the same thing. the web server is under Red Hat 7.2. Could it come from it? This phenomenon with many network interrupts appeared one day without any important change from us ... is it possible to exclude the IP that run this sequence ? what could I check ? do you think it could be a kind of attack? thanks because I'm lost ... don't konw what to do with this problem