Strange connection from VIP to suspicious IP on Internet

Hi everyone,

I have a VIP that public a web services on port 80/443 to Internet. Lately, i notice there is some connection from the VIP to an suspicious Internet IP (45.33.12.214). I check and this IP is highly suspicious. But i wonder why there is a log on Internet firewall with source is my VIP, src port is 80 to that IP 45.33.12.214 and dst port is 34233.

Does it mean the attackers have compromised my backend servers and control it to sent some information to attackers? But the weird thing is the VIP range is different from my Self-IP range and i configure to no routes to Internet on my F5 under Network > Routes > Route List.

I also notice before the connection from VIP to this IP. There were multiple connections from that IP 45.33.12.214 to the public IP that NAT to my VIP from vary src port, include 34233, to port 80. But the gap between connection from 45.33.12.214 and connection from my VIP is 2 mins, i think it too long for a reply. Besides, firewall are statefull, so if it just a reply from same session init by 45.33.12.214, i don't think it would separate into two log record with vice versa Source/Dest IP and Source/Dest Port.

There also big diffrent between connection froms 2 sources, around 100 connections from 45.33.12.214 and 2 mins later 1 connect from my VIP.

Source Address Translation on both 80 and 443 VIP are set to Auto map.

Please let me know if you know why is this?