Runaway kernel? Or an attack?

[Andresen, Jason R.]

Ok, I have a recurring problem with my webserver.  Once a day or so it
gets locked into a loop with some random server usually somewhere in my
ISP.  When it does this, it spends all of its time spitting out packets
and getting FIN, ACKs back.  

Shutting down the HTTP server doesn't stop the traffic.  I have to
create firewall rules to block the outgoing traffic to stop it.  Wiping
the disk and reinstalling from the CD didn't help either.  This host is
behind a NAT (A D-Link DI-604 router).  Is this a bad packet injection
attack, a bug, or has my box been compromised?  

This problem has persisted from when the box was 5.4 all the way to
it's current 6.0 life.  Sadly, I cannot upgrade it beyond 6.0 Release
at the moment because it has a proprietary vendor binary kernel module
for the RAID array, and the newest version they have is for 6.0. 

Here's a short tcpdump of the traffic when it happens, these packets
are going out at a rate of thousands per second.  The 192.168.42.2 is
the local host and 192.76.86.83 is the apparently random victim:

09:36:51.056914 IP (tos 0x0, ttl  64, id 57273, offset 0, flags [DF],
proto: TCP (6), length: 52) 192.168.42.2.80 > 192.76.86.83.22929: .,
cksum 0xd1b3 (correct), 0:0(0) ack 0 win 33120 <nop,nop,timestamp
147178754 27589156>
09:36:51.059404 IP (tos 0x0, ttl  51, id 61707, offset 0, flags [none],
proto: TCP (6), length: 52) 192.76.86.83.22929 > 192.168.42.2.80: F,
cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 <nop,nop,timestamp
27589156 147178723>
09:36:51.059469 IP (tos 0x0, ttl  64, id 57274, offset 0, flags [DF],
proto: TCP (6), length: 52) 192.168.42.2.80 > 192.76.86.83.22929: .,
cksum 0xd1b0 (correct), 0:0(0) ack 0 win 33120 <nop,nop,timestamp
147178757 27589156>
09:36:51.060004 IP (tos 0x0, ttl  51, id 61709, offset 0, flags [none],
proto: TCP (6), length: 52) 192.76.86.83.22929 > 192.168.42.2.80: F,
cksum 0x5331 (correct), 0:0(0) ack 1 win 65535 <nop,nop,timestamp
27589156 147178723>