Ungraceful Disconnects from unknown clients

I am running a single-node instance of HiveMQ CE on Ubuntu 18.04 for a production system that is open to the internet on a non-standard MQTT port. Periodically (2-4 times per day, for about 10-30 minutes) I see a large number of messages in event.log identical to the following:

[TIMESTAMP] - Client ID: UNKNOWN, IP: UNKNOWN disconnected ungracefully.

I see the CPU usage of our machine climb steadily during this period, as well as the rate of DISCONNECT messages (although our 15k+ clients stay connected at a normal level). I have not found any relevant information anywhere on the web, and without a ClientID or source IP address, I’m not sure how to trace where this traffic is coming from.

Is it possible that someone is discovering our server with a port-scanning tool? Do I have a configuration parameter set incorrectly?

I also see these messages periodically:

[TIMESTAMP - Client ID: UNKNOWN, IP: UNKNOWN was disconnected. reason: SSL handshake failed.

Hey @ryantaylortnp,

since your environment is reachable from the internet, this is likely the result of port scans.
The log message you are seeing would match the behaviour of a client (or port scanning utility) establishing a TCP connection with the broker completing further steps.
This in an of itself is no reason to worry.

Side note: You could consider logging all incoming TCP connections and determining if there are recurring IPs in these connection spikes, which then could be blocked via firewall.

Kind regards,
Finn