Strange connections from router

Hi,
Recently I noticed such connection from the router.
Any ideas?

Edit: Not sure but maybe happening from speedtest.net?

Noticed another one.

Found that these connections from sentinel-mini. I m getting nervous from this. What are these connections?

What is the direction of the connection? incoming or outgoing (relative to the router)?

How to check the direction?

I see minipots listening on that port.

root@turris:~# netstat -tnpl | grep 2333
tcp        0      0 :::2333                 :::*                    LISTEN      6267/sentinel-minip

I was expecting minipots. In that case, it would be pretty much okay, as all communication to these ports is forwarded to CZ.NIC where they capture the attackers and play with them. No harm to the router possible.

But that depends on the direction of the connections. As I don’t know from which program the screenshots are, it’s difficult to tell the connection direction. If they were outgoing connections, that would mean a problem.

That’s for HaaS but minipots are processed locally, IIRC.

Screenshots are from netstat.
First one I noticed by coincidence, it took my attention then I tried repeatedly every few seconds, it is surprising to see almost every 5 minutes new attack is being made.

So since these connections are all on local 2333 (where sentinel-minipots listens) can we say that they are incoming connections?

@vcunat if not forwarded to CZ.NIC how are these processed locally? Any documentation for that?

I don’t think such details are really documented, but it’s all in the open: Turris / Sentinel / Minipots · GitLab

Yes, that sounds most likely.

If anyone knows if minipots log to somewhere?