how do i find out what this traffic is going to? I've got CSF running pretty tight and nothing is in the block logs...
# Care should be taken with this option. It's entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 300.
# To disable this feature, set this to 0
CT_LIMIT = "160"
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = "30"
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. "80,443"
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,443"
I use two commands to identify these kind of traffic. To view connections to my server, I use netstat.
This command displays all table and you can append "| grep SYN" to view connection attempts. Some times these kind of traffic can be just dumy packages created by automated tools. Simply this command shows you incomming packages.
tcpdump -i eth0 -n
It outputs very fast but gives idea about source of attack. You can append " > output.txt" and dump the out put to a file and review easily. Last word, as far as I know, there is no way to prevent this attacks. You should contact to your service provider with the outputs of these commands. They usually are able to block the source on gateways of your network. I hope this help. Good luck...