Open connections with nothing in logs?

[mjm]

I'm running DDoS Deflate (http://deflate.medialayer.com/) which looks at open connections on the server and blocks IPs that go over a specific threshold. Normally this is triggered by spam bots/scrapers with a lot of entries in apache's logs.

Last night, I had 3 IPs banned that have virtually NO information in the logs.

* 15.203.233.76 at 950pm
* 203.10.224.94 at 1015pm
* 213.236.208.19 at 9am

Here are the only entries I have in my logs for those IPs:

/var/log/httpd/domains/domain1.com.log:213.236.208.19 - - [29/Apr/2011:09:03:04 -0700] "GET / HTTP/1.0" 302 1505 "-" "TLSProber/0.1"
/var/log/httpd/domains/domain1.com.log:213.236.208.19 - - [29/Apr/2011:09:03:06 -0700] "GET / HTTP/1.0" 302 1505 "-" "TLSProber/0.1"
/var/log/httpd/domains/domain2.com.log:213.236.208.19 - - [29/Apr/2011:09:02:49 -0700] "GET / HTTP/1.0" 200 1372 "-" "TLSProber/0.1"
/var/log/httpd/domains/domain2.com.log:213.236.208.19 - - [29/Apr/2011:09:02:51 -0700] "GET / HTTP/1.0" 200 1372 "-" "TLSProber/0.1"

I've never seen this before. Any insight into what could be happening?

 

[zEitEr]

By default DDoS Deflate counts number of connections with netstat on a per IP bases, and it does not respect a port number. So it does not really matter, what local service is a remote host connected to. If a host opens more than defined allowed number of connections to FTP/POP/SMTP/etc it definetly will get banned.

So, somebody with those IPs opened too many connections. That's all, what I can say with your information. Probably somebody else can say more.

 

[mjm]

Thanks for the reply. Normally, I'd have a bunch of log entries associated with the banned IPs, but for some reason these 3 have almost no information, which is what confuses me.