I noticed something interesting. Almost 90+ percent of all inbound traffic blocked is using source port 52599. Not sure why this would be unless they are mostly using the same toolset? And does this mean that by just blocking incoming source port 52599 I can block a whole lot of malicious traffic? I'm sure it may block some legitimate traffic outbound that may be sourced from the same port, but you should be able to apply it to inbound traffic only. Now i wish i had realtime flow data to analyze this.