>From the details you gave , it would be natural to assume you are talking about multiple sources sending traffic to your Internet exposed IP's which would normally be some version of PORTSCANNING . ( Even if the packets are 90%-100% ACK packets , they can still be some attempt of portscanning ) In any case it would be helpful if you add some complete logfiles entries (10-20) , if you need you can just "MANGLE" your exposed IP's target but please leave the rest of the logfiles as original as possible . Best regards André Paulsberg-Csibi Senior Network Engineer Fault Handling IBM Services AS andre.paulsberg-csibi@xxxxxxxx M +47 9070 5988 -----Original Message----- From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Olaf Zaplinski Sent: 8. august 2016 10:16 To: netfilter@xxxxxxxxxxxxxxx Subject: Re: lots of ACKs for DPT=1433 Am 2016-08-07 17:29, schrieb Rob Sterenborg (Lists): > On 04-08-16 12:46, Olaf Zaplinski wrote: >> Hi, >> >> I see lots of ACKs for DPT=1433 in my logs. Anyone else? >> >> Any idea what is the reason for this? >> >> Olaf > > A lot of scans for a vulnerable MSSQL server. That would be true if that were SYN requests. But 90% of these requests or so are ACK requests. Olaf -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
