Do you think it can be a synflood attack? I can see it only during peak hours, if it would be attack, I would expect it to be nonstop. If it would be synflood, how would nginx handle it? SYN_RECV means that kernel has received the initial SYN packet, but the userspace (nginx) didn't reply with SYN+ACK yet. But from strace it seems that nginx is not receiving those connections...
Every request is from different IP (as it's ad-tracking I have more than 3 milions diff. IPs per day). Here is output:
bill3:~:# netstat -tnp | grep SYN_RECV |sort -k5,5
tcp 0 0 92.x.x.x:80 108.84.25.217:49988 SYN_RECV -
tcp 0 0 92.x.x.x:80 171.0.128.220:59857 SYN_RECV -
tcp 0 0 92.x.x.x:80 188.22.33.219:63756 SYN_RECV -
tcp 0 0 92.x.x.x:80 194.168.179.130:54327 SYN_RECV -
tcp 0 0 92.x.x.x:80 2.218.18.53:49980 SYN_RECV -
tcp 0 0 92.x.x.x:80 212.106.232.41:3887 SYN_RECV -
tcp 0 0 92.x.x.x:80 213.105.53.187:56882 SYN_RECV -
tcp 0 0 92.x.x.x:80 213.105.53.187:56948 SYN_RECV -
tcp 0 0 92.x.x.x:80 213.107.67.17:56947 SYN_RECV -
tcp 0 0 92.x.x.x:80 217.137.153.229:4384 SYN_RECV -
tcp 0 0 92.x.x.x:80 46.25.124.158:59649 SYN_RECV -
tcp 0 0 92.x.x.x:80 62.254.142.85:59674 SYN_RECV -
tcp 0 0 92.x.x.x:80 62.255.147.169:58835 SYN_RECV -
tcp 0 0 92.x.x.x:80 62.31.128.35:51695 SYN_RECV -
tcp 0 0 92.x.x.x:80 77.100.4.202:56501 SYN_RECV -