I adjusted logs to keep only "smallest crital" data left :) [iptables tarpit] Aug 4 14:39:59 IN=eth0 SRC=109.170.163.174 LEN=41 TTL=117 ID=26474 SPT=4886 DPT=1433 ACK Aug 4 14:40:10 IN=eth0 SRC=109.170.163.174 LEN=41 TTL=117 ID=2554 SPT=3381 DPT=1433 ACK Aug 4 14:40:16 IN=eth0 SRC=95.9.252.66 LEN=41 TTL=115 ID=31945 SPT=58633 DPT=1433 ACK Aug 4 14:40:17 IN=eth0 SRC=172.87.192.33 LEN=41 TTL=121 ID=24321 SPT=5171 DPT=1433 ACK Aug 4 14:40:19 IN=eth0 SRC=104.247.220.211 LEN=41 TTL=121 ID=3380 SPT=5240 DPT=1433 ACK Aug 4 14:40:38 IN=eth0 SRC=23.228.81.116 LEN=41 TTL=117 ID=22249 SPT=1716 DPT=1433 ACK Aug 4 14:40:42 IN=eth0 SRC=58.96.177.123 LEN=41 TTL=232 ID=28264 SPT=55416 DPT=1433 ACK Aug 4 14:40:47 IN=eth0 SRC=172.87.192.33 LEN=41 TTL=121 ID=29753 SPT=5171 DPT=1433 ACK Aug 6 04:26:17 IN=eth0 SRC=61.191.59.179 LEN=40 TTL=113 ID=4715 SPT=1144 DPT=1433 ACK Aug 6 04:26:17 IN=eth0 SRC=61.191.59.179 LEN=40 TTL=113 ID=4716 SPT=1144 DPT=1433 ACK FIN Aug 6 04:26:26 IN=eth0 SRC=61.191.59.179 LEN=40 TTL=113 ID=14158 SPT=1144 DPT=1433 ACK FIN >From what I can see these logs show , you have 2 things happening : the last from AUG 6 seem like a normal session that is no longer responding ( maybe timed-out ) but this can also be some host who tried to scan that port but seems more like some accidental access attempt . The first log entries are pretty sure some kind of port-scan , even if the packets are ACK without SYN . Maybe the attackers are looking for systems behind old non-stateful FW who only block SYN packets and allows any other flaged packets into their systems assuming they are "safe" ... ... most likely ( and you can try ) if you grep for "SRC=109.170.163.174" you will most likely find 3-8 tries , and maybe 1 or 2 with SYN first . Best regards André Paulsberg-Csibi Senior Network Engineer Fault Handling IBM Services AS andre.paulsberg-csibi@xxxxxxxx M +47 9070 5988 ��.n��������+%������w��{.n����z���)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥