Strange dropped packets coming from port 8888 and with ACK or ACK+PSH set

Background

During an incident on a small privative network (1 router/FW + 1 server) my server got accidentally exposed to the internet.

Fortunately it was protected by it's own UFW to allow only 1 specific traffic from a specific netrange and drop everything else on this interface.

Therefore, during the incident, it logged a lot of abnormal traffic which I've tried to categorize. I got :

• Port scan (SYN only packets)
• DNS scan (UDP to port 53)
• DNS spoofing attempt (UDP from port 53 to port > 40000)

But I also got 1 pattern that I couldn't categorize ...

Question

1. Am I right on my categorization ?
2. Do you know what kind of traffic / attack attempt would trigger my firewall to log packet with the following specifications :
   • TCP only
   • Flags : ACK (90%) or ACK+PSH (10%)
   • Mostly comming from port 8888 (70%)
   • LEN=52 WINDOW=18 (50%) ; LEN <100 (90%) and WINDOW<=20 (90%)
   • wide range of destination port above 30000