Currently noticing a LOT of connections in SYN_WAIT or SYN_RECV status all from the same IP address, 208.98.15.24.

This might not seem odd on its own, but connections are showing on all of our servers, which are (as far as I understand) located in different data centers, and all with very different IP addresses, hosting different sites. Our IP's are definately not consecutive so its not that the person is hitting X and X+1 etc, perhaps hitting a larger block than just us?

Theres literally hundreds of connections between all the servers.

Anyone else noticing this at the moment?

Our servers IP's are in the 67.15.7*.* range and in the 67.19.47.* range

I'm seeing nothing on my server logs regarding this IP. My dedi is on 74.52.*.* though.

We've got one in the 7x range and thats not showing it - only those in the 67 range

We've still got connections from this address - more than 24hrs after I first noticed them.

Interestingly, if I trace the IP from one of the servers I get ...

1: ev1s-67-15-76-1.ev1servers.net (67.15.76.1) 2.855ms
2: gphou-66-98-241-7.ev1servers.net (66.98.241.7) asymm 3 0.669ms
3: gphou-66-98-240-3.ev1servers.net (66.98.240.3) 0.743ms
4: 216-110-27-97.static.twtelecom.net (216.110.27.97) asymm 9 88.799ms
5: peer-02-so-0-0-0-0.chcg.twtelecom.net (66.192.244.20) asymm 10 29.133ms
6: 66.90.127.205 (66.90.127.205) asymm 12 32.004ms
7: . (66.90.127.178) asymm 11 29.646ms
8: 10.10.50.2 (10.10.50.2) asymm 12 31.882ms
9: 10.0.0.6 (10.0.0.6) asymm 13 32.203ms
10: 208.98.15.24 (208.98.15.24) asymm 14 32.011ms reached
Resume: pmtu 1500 hops 10 back 14

Now, aren't the 10.* IP's reserved and thus should never show on the internet?!

That IP address is registered as being owned by Sharktech.net

Yes. I was looking at another issue when I noticed it. When I look at netstat I see thousands of connections from 208.98.15.24:34757 SYN_RECV. I alerted our ISP but have not heard from them. I did a tracerout on that and also had an ending in the 10.10 and 10.0 territory.

traceroute to 208.98.15.24 (208.98.15.24), 30 hops max, 40 byte packets
1 72.20.155.1 (72.20.155.1) 2.003 ms 1.74 ms 1.871 ms
2 ge-1-6.r04.hstntx01.us.bb.gin.ntt.net (128.241.5.1) 2.284 ms 2.299 ms 2.593 ms
3 xe-1-3-0.r20.hstntx01.us.bb.gin.ntt.net (129.250.4.233) 2.648 ms 2.514 ms 2.466 ms
4 as-0.r20.dllstx09.us.bb.gin.ntt.net (129.250.3.129) 9.969 ms 9.866 ms 10.436 ms
5 ae-0.r21.dllstx09.us.bb.gin.ntt.net (129.250.2.59) 10.001 ms 12.543 ms 12.346 ms
6 p64-1-1-0.r21.chcgil09.us.bb.gin.ntt.net (129.250.2.23) 36.51 ms 36.63 ms 36.581 ms
7 xe-3-3.r00.chcgil09.us.bb.gin.ntt.net (129.250.3.222) 36.439 ms 36.332 ms 36.577 ms
8 66.90.127.209 (66.90.127.209) 36.904 ms 36.731 ms 36.829 ms
9 (66.90.127.178) 34.41 ms 34.485 ms 34.391 ms
10 10.10.50.2 (10.10.50.2) 36.671 ms 36.711 ms 31.776 ms
11 10.0.0.6 (10.0.0.6) 34.466 ms 34.576 ms 34.181 ms
12 * * *
13 208.98.15.24 (208.98.15.24) 31.818 ms 34.197 ms 32.019 ms

What's up with that?

You alerted The Planet or your internet ISP there? (was it effecting your server with the planet or another machine somewhere else?)

I think those 10.*'s are being done via hopfake.

http://www.youtube.com/watch?v=EEDxz_35GM8

You may want to block those IP's as it might be a targeted attack.

Interesting idea (all be, some what pointless).

Is it possible it is the internal network of the source ip's host?

Doubtful. There'd be no way to route those packets across the internet.